RE: [Full-Disclosure] Backdoor.Sdbot.N Question

["James Patterson Wicks" <pwicks@xxxxxxxxxx>]

Update:  Looked at the firewall and saw that some systems were trying to 
contact outside systems on ports 135 and 445.  It looks and acts like 
"W32.HLLW.Gaobot.AA", but it would have to be some sort of variant due to the 
change in the file names.  Whatdoyathink?

-----Original Message-----
From: James Patterson Wicks 
Sent: Monday, September 08, 2003 4:18 PM
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Backdoor.Sdbot.N Question


Anyone know how Backdoor.Sdbot.N spreads?  This morning we had several users 
pop up with this trojan (or a new variant).  These users generated a ton of 
traffic until their machines were unplugged from the network.  There systems 
have all the markers for the Backdoor.Sdbot.N trojan (registry entries, etc), 
but was not picked up by the Norton virus scan.  In fact, even it you perform a 
manual scan after the trojan was discovered, it is still not detected in the 
scan.

I would also like to know if this is also an indicator of not having the patch 
for the Blaster worm.

This e-mail is the property of Oxygen Media, LLC.  It is intended only for the 
person or entity to which it is addressed and may contain information that is 
privileged, confidential, or otherwise protected from disclosure. Distribution 
or copying of this e-mail or the information contained herein by anyone other 
than the intended recipient is prohibited. If you have received this e-mail in 
error, please immediately notify us by sending an e-mail to 
postmaster@xxxxxxxxxx and destroy all electronic and paper copies of this 
e-mail.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html