Re: [Full-Disclosure] anyone seen this worm/trojan before?
From: Joshua Levitsky (jlevitsk_at_joshie.com)
Date: 06/03/04
- Previous message: Perrymon, Josh L.: "RE: [Full-Disclosure] anyone seen this worm/trojan before?"
- In reply to: Perrymon, Josh L.: "[Full-Disclosure] anyone seen this worm/trojan before?"
- Next in thread: insecure: "Re: [Full-Disclosure] anyone seen this worm/trojan before?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Perrymon, Josh L." <PerrymonJ@bek.com> Date: Thu, 3 Jun 2004 15:22:31 -0400
On Jun 3, 2004, at 1:54 PM, Perrymon, Josh L. wrote:
> I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
> Doesn't look like it propagates to other machines but rather
> communicates
> with a compromised
> web companies server using IRC. The compromised server has removed the
> IRC
> service. Only sends RST packets back.
>
> I put it on my site.
>
> http://www.packetfocus.com/analysis.htm
>
> I would like to know the attack vectors. I'm guessing LSASS.
>
It's a variant of W32.Spybot.Worm aparently. Symantec AntiVirus Defs as
of 6/3/04 Rev 36 (just created) detect it.
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/
norton_antivirus/rapidrelease/symcrapidreleasedefsi32.exe
-Josh
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Perrymon, Josh L.: "RE: [Full-Disclosure] anyone seen this worm/trojan before?"
- In reply to: Perrymon, Josh L.: "[Full-Disclosure] anyone seen this worm/trojan before?"
- Next in thread: insecure: "Re: [Full-Disclosure] anyone seen this worm/trojan before?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
