RE: [Full-Disclosure] Backdoor.Sdbot.N Question

["Bojan Zdrnja" <Bojan.Zdrnja@xxxxxx>]

> -----Original Message-----
> From: full-disclosure-admin@xxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of 
> James Patterson Wicks
> Sent: Tuesday, 9 September 2003 8:18 a.m.
> To: full-disclosure@xxxxxxxxxxxxxxxx
> Subject: [Full-Disclosure] Backdoor.Sdbot.N Question
> 
> 
> Anyone know how Backdoor.Sdbot.N spreads?  This morning we 
> had several users pop up with this trojan (or a new variant). 
>  These users generated a ton of traffic until their machines 
> were unplugged from the network.  There systems have all the 
> markers for the Backdoor.Sdbot.N trojan (registry entries, 
> etc), but was not picked up by the Norton virus scan.  In 
> fact, even it you perform a manual scan after the trojan was 
> discovered, it is still not detected in the scan.

As far as I saw on couple of systems, usually it's downloaded by separate
worm/tool/whatever.
Mimail (which some companies detect as TrojanDropper.JS.Mimail.b), for
example, will download and execute a file from a particular website. That
file can (of course) be Backdoor.Sdbot.

Also, I saw several instances of Backdoor.Coreflood trojan on some client
machines. They got this trojan when users went to Web sites which had a
VBScript which in turn is a dropper for the trojan. Those scripts usually
use the vulnerability described in MS03-032.

> I would also like to know if this is also an indicator of not 
> having the patch for the Blaster worm.

Probably not - I suspect they went to some Web site which had dropper
Vbscript on it.

Regards,

Bojan Zdrnja

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html