[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fw: [Full-Disclosure] Virus, whether the scanners say so or not?
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: Fw: [Full-Disclosure] Virus, whether the scanners say so or not?
- From: "morning_wood" <se_cur_ity@xxxxxxxxxxx>
- Date: Mon, 1 Sep 2003 08:37:56 -0700
----- Original Message -----
From: "morning_wood" <se_cur_ity@xxxxxxxxxxx>
To: "Scott Phelps / Dreamwright Studios" <scottp@xxxxxxxxxxxxxxx>
Sent: Monday, September 01, 2003 8:37 AM
Subject: Re: [Full-Disclosure] Virus, whether the scanners say so or not?
> let us find some function and the fun strings in your wupdated.exe sample.
> YOU DONT NEED A AV TO TELL YOU THE FUNCTIONS
> OR THAT IT IS A TROJAN / WORM
>
> and the correct identification is sdbot5b, this is a trojan worm bot
> compiled from c sources with lcc.
>
> the servers connecting and controled are
> sm0k3.ath.cx - 27.0.0.1
> fewl.ath.cx - 127.0.0.1
>
> irc channels #keke0394l and #emohtob ( bothome backwards )
>
>
> sdbot 0.5b with SYN flood by [sd]
>
> notes:
> --------- snip --------------
> 0000ED7C 0042837C 0 sm0k3.ath.cx
> 0000EDA6 004283A6 0 fewl.ath.cx
>
>
> 0000EFAC 004285AC 0 SYNFlood
> 0000EFE4 004285E4 0 irc_connect
> 00010233 00429833 0 jamesbrown
>
> 00010523 00429B23 0 \IPC$
> 0001052E 00429B2E 0 net use * "%s" "%s" /user:"%s"
> 0001058D 00429B8D 0 [SCANNING] Address: %s Port: 139
> 00010695 00429C95 0 lcc runtime: GP fault. Stack trace
> ------------- snip -----------
>
> do some detecvtive work , did you even try to load it in notepad?
> the above was obtained via "bintext" by Foundstone viewing the binary.
>
> Donnie Werner
> http://e2-labs.com
> http://exploitlabs.com
>
>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html