[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Backdoor.Sdbot.N Question

To: James Patterson Wicks <pwicks@xxxxxxxxxx>
Subject: RE: [Full-Disclosure] Backdoor.Sdbot.N Question
From: "Jade E. Deane" <jade.deane@xxxxxxxxx>
Date: 08 Sep 2003 19:02:06 -0500

Put a sniffer on the offending workstations, see what you get.

Regards,
Jade

On Mon, 2003-09-08 at 17:59, James Patterson Wicks wrote:
> Update:  Looked at the firewall and saw that some systems were trying to 
> contact outside systems on ports 135 and 445.  It looks and acts like 
> "W32.HLLW.Gaobot.AA", but it would have to be some sort of variant due to the 
> change in the file names.  Whatdoyathink?
> 
> -----Original Message-----
> From: James Patterson Wicks 
> Sent: Monday, September 08, 2003 4:18 PM
> To: full-disclosure@xxxxxxxxxxxxxxxx
> Subject: [Full-Disclosure] Backdoor.Sdbot.N Question
> 
> 
> Anyone know how Backdoor.Sdbot.N spreads?  This morning we had several users 
> pop up with this trojan (or a new variant).  These users generated a ton of 
> traffic until their machines were unplugged from the network.  There systems 
> have all the markers for the Backdoor.Sdbot.N trojan (registry entries, etc), 
> but was not picked up by the Norton virus scan.  In fact, even it you perform 
> a manual scan after the trojan was discovered, it is still not detected in 
> the scan.
> 
> I would also like to know if this is also an indicator of not having the 
> patch for the Blaster worm.
> 
> This e-mail is the property of Oxygen Media, LLC.  It is intended only for 
> the person or entity to which it is addressed and may contain information 
> that is privileged, confidential, or otherwise protected from disclosure. 
> Distribution or copying of this e-mail or the information contained herein by 
> anyone other than the intended recipient is prohibited. If you have received 
> this e-mail in error, please immediately notify us by sending an e-mail to 
> postmaster@xxxxxxxxxx and destroy all electronic and paper copies of this 
> e-mail.
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 

PGP Public Key:  http://www.riven.net/~moose/key.asc
Key fingerprint = C497 1FEC 6FC4 6896 6AB5  9A26 71DF 521B 0612 D1B8

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- RE: [Full-Disclosure] Backdoor.Sdbot.N Question
  - From: James Patterson Wicks

Prev by Date: Re: [Full-Disclosure] Should ISPs be blocking open ports for their customers?
Next by Date: [Full-Disclosure] Apache::Gallery local webserver compromise, privilege escalation
Previous by thread: RE: [Full-Disclosure] Backdoor.Sdbot.N Question
Next by thread: Re: [Full-Disclosure] Backdoor.Sdbot.N Question
Index(es):
- Date
- Thread