Re: [Full-Disclosure] anyone seen this worm/trojan before?

From: Joshua Levitsky (jlevitsk_at_joshie.com)
Date: 06/03/04

  • Next message: insecure: "Re: [Full-Disclosure] anyone seen this worm/trojan before?"
    To: "Perrymon, Josh L." <PerrymonJ@bek.com>
    Date: Thu, 3 Jun 2004 15:22:31 -0400
    
    

    On Jun 3, 2004, at 1:54 PM, Perrymon, Josh L. wrote:

    > I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
    > Doesn't look like it propagates to other machines but rather
    > communicates
    > with a compromised
    > web companies server using IRC. The compromised server has removed the
    > IRC
    > service. Only sends RST packets back.
    >
    > I put it on my site.
    >
    > http://www.packetfocus.com/analysis.htm
    >
    > I would like to know the attack vectors. I'm guessing LSASS.
    >

    It's a variant of W32.Spybot.Worm aparently. Symantec AntiVirus Defs as
    of 6/3/04 Rev 36 (just created) detect it.

    ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/
    norton_antivirus/rapidrelease/symcrapidreleasedefsi32.exe

    -Josh

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: insecure: "Re: [Full-Disclosure] anyone seen this worm/trojan before?"