Re: [Full-Disclosure] anyone seen this worm/trojan before?

From: insecure (insecure_at_ameritech.net)
Date: 06/03/04

  • Next message: Lupe Christoph: "[Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability"
    To: "Perrymon, Josh L." <PerrymonJ@bek.com>
    Date: Thu, 03 Jun 2004 14:27:03 -0500
    
    

    Perrymon, Josh L. wrote:

    >I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
    >Doesn't look like it propagates to other machines but rather communicates
    >with a compromised
    >web companies server using IRC. The compromised server has removed the IRC
    >service. Only sends RST packets back.
    >
    >I put it on my site.
    >
    >http://www.packetfocus.com/analysis.htm
    >
    >I would like to know the attack vectors. I'm guessing LSASS.
    >
    >Joshua Perrymon
    >PGP Fingerprint
    >51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021
    >
    >
    >
    McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g.
    Other than that, they have no information besides that they first
    noticed it on 5/26/2004.

    It may spread through lsass, but this type of worm is usually limited to
    spreading through network shares with weak password protection.

    Jerry

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Lupe Christoph: "[Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability"

    Relevant Pages