[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Backdoor.Sdbot.N Question

Subject: RE: [Full-Disclosure] Backdoor.Sdbot.N Question
From: "James Patterson Wicks" <pwicks@xxxxxxxxxx>
Date: Tue, 9 Sep 2003 09:10:47 -0400

Thanks for all the feedback.  Seems that we have W32/Gaobot.worm.aa: 
http://vil.nai.com/vil/content/v_100611.htm

Seems that people are picking it up in IE (according to the registry scans).  
Symantec does not have a fix for it yet, but they sent us a beta to try.  Since 
it is only on a few systems, we'll give it a shot.  

-----Original Message-----
From: cseagle [mailto:cseagle@xxxxxxxxxxxx]
Sent: Tuesday, September 09, 2003 2:57 AM
To: James Patterson Wicks
Cc: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Backdoor.Sdbot.N Question


It sounds like the agobot3 ircbot/backdoor that appeared a few weeks ago 
on a couple of college campuses.  The version I have seen installs 
itself as svchosl.exe and winhl32.exe. The only online writeup I can 
find is here and matches what I have in the lab:

http://www.trendmicro.com.cn/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.P&VSect=T

Chris

James Patterson Wicks wrote:

>Update:  Looked at the firewall and saw that some systems were trying to 
>contact outside systems on ports 135 and 445.  It looks and acts like 
>"W32.HLLW.Gaobot.AA", but it would have to be some sort of variant due to the 
>change in the file names.  Whatdoyathink?
>
>-----Original Message-----
>From: James Patterson Wicks 
>Sent: Monday, September 08, 2003 4:18 PM
>To: full-disclosure@xxxxxxxxxxxxxxxx
>Subject: [Full-Disclosure] Backdoor.Sdbot.N Question
>
>
>Anyone know how Backdoor.Sdbot.N spreads?  This morning we had several users 
>pop up with this trojan (or a new variant).  These users generated a ton of 
>traffic until their machines were unplugged from the network.  There systems 
>have all the markers for the Backdoor.Sdbot.N trojan (registry entries, etc), 
>but was not picked up by the Norton virus scan.  In fact, even it you perform 
>a manual scan after the trojan was discovered, it is still not detected in the 
>scan.
>
>I would also like to know if this is also an indicator of not having the patch 
>for the Blaster worm.
>
>This e-mail is the property of Oxygen Media, LLC.  It is intended only for the 
>person or entity to which it is addressed and may contain information that is 
>privileged, confidential, or otherwise protected from disclosure. Distribution 
>or copying of this e-mail or the information contained herein by anyone other 
>than the intended recipient is prohibited. If you have received this e-mail in 
>error, please immediately notify us by sending an e-mail to 
>postmaster@xxxxxxxxxx and destroy all electronic and paper copies of this 
>e-mail.
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>.
>
>  
>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] Israeli boffins crack GSM code
Next by Date: Re: [Full-Disclosure] Should ISPs be blocking open ports for their customers?
Previous by thread: Re: [Full-Disclosure] Backdoor.Sdbot.N Question
Next by thread: [Full-Disclosure] New release of the Solaris Security Module Papillon
Index(es):
- Date
- Thread