|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Full-Disclosure] anyone seen this worm/trojan before?
From: Perrymon, Josh L. (PerrymonJ
bek.com)
Date: Thu Jun 03 2004 - 14:45:11 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I read the link below and noticed that this worm must be a variant because
the .exe is not the same and I don't notice and means of network scanning of
propagation.
JP
-----Original Message-----
From: Harlan Carvey [mailto:keydet89yahoo.com]
Sent: Thursday, June 03, 2004 2:25 PM
To: full-disclosurenetsys.com
Cc: Perrymon, Josh L.
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?
Josh,
I tried to download the archive, and McAfee alerted me
to "W32/Sdbot.worm.gen.g".
From:
http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html
"W32/SdBot-CF spreads to other computers on the local
network protected by weak passwords."
> I found this worm/ trojan on a laptop. Ran FPort and
> found the .exe.
I checked out your web site...don't you think that the
information you found via fport would be useful to
others, such as the port, etc?
> Doesn't look like it propagates to other machines
> but rather communicates
> with a compromised
> web companies server using IRC. The compromised
> server has removed the IRC
> service. Only sends RST packets back.
>
> I put it on my site.
>
> http://www.packetfocus.com/analysis.htm
>
> I would like to know the attack vectors. I'm
> guessing LSASS.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]