|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] anyone seen this worm/trojan before?
From: insecure (insecure
ameritech.net)
Date: Thu Jun 03 2004 - 14:27:03 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Perrymon, Josh L. wrote:
>I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
>Doesn't look like it propagates to other machines but rather communicates
>with a compromised
>web companies server using IRC. The compromised server has removed the IRC
>service. Only sends RST packets back.
>
>I put it on my site.
>
>http://www.packetfocus.com/analysis.htm
>
>I would like to know the attack vectors. I'm guessing LSASS.
>
>Joshua Perrymon
>PGP Fingerprint
>51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021
>
>
>
McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g.
Other than that, they have no information besides that they first
noticed it on 5/26/2004.
It may spread through lsass, but this type of worm is usually limited to
spreading through network shares with weak password protection.
Jerry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]