[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] anyone seen this worm/trojan before?

To: full-disclosure@xxxxxxxxxx
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?
From: Harlan Carvey <keydet89@xxxxxxxxx>
Date: Thu, 3 Jun 2004 12:24:36 -0700 (PDT)

Josh, 

I tried to download the archive, and McAfee alerted me
to "W32/Sdbot.worm.gen.g".

From:
http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html

"W32/SdBot-CF spreads to other computers on the local
network protected by weak passwords."

> I found this worm/ trojan on a laptop. Ran FPort and
> found the .exe.

I checked out your web site...don't you think that the
information you found via fport would be useful to
others, such as the port, etc?

> Doesn't look like it propagates to other machines
> but rather communicates
> with a compromised 
> web companies server using IRC. The compromised
> server has removed the IRC
> service. Only sends RST packets back.
> 
> I put it on my site.
> 
> http://www.packetfocus.com/analysis.htm
> 
> I would like to know the attack vectors. I'm
> guessing LSASS.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] anyone seen this worm/trojan before?
  - From: Perrymon, Josh L.

Prev by Date: [Full-Disclosure] Re: anyone seen this worm/trojan before?
Next by Date: RE: [Full-Disclosure] anyone seen this worm/trojan before?
Previous by thread: RE: [Full-Disclosure] anyone seen this worm/trojan before?
Next by thread: Re: [Full-Disclosure] anyone seen this worm/trojan before?
Index(es):
- Date
- Thread