RE: [Full-Disclosure] anyone seen this worm/trojan before?

["Perrymon, Josh L." <PerrymonJ@xxxxxxx>]

I was guessing about LSASS because that was the only patch not on the box
that was infected.
The user also had a pass with a couple #'s in it so I didn't think it would
be found in a password list.

After watching it in a while I *Never saw it try to propagate to another
machine. That's what was weird.
So how would be get it the first time? 
I had to infect him some way...  But there where no other traces of it on
the network...

If I have some time I'll post the FPort data and some clean packet captures.

JP



-----Original Message-----
From: insecure [mailto:insecure@xxxxxxxxxxxxx]
Sent: Thursday, June 03, 2004 2:27 PM
To: Perrymon, Josh L.
Cc: full-disclosure@xxxxxxxxxx
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?


Perrymon, Josh L. wrote:

>I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
>Doesn't look like it propagates to other machines but rather communicates
>with a compromised 
>web companies server using IRC. The compromised server has removed the IRC
>service. Only sends RST packets back.
>
>I put it on my site.
>
>http://www.packetfocus.com/analysis.htm
>
>I would like to know the attack vectors. I'm guessing LSASS.
>
>Joshua Perrymon
>PGP Fingerprint
>51B8 01AC E58B 9BFE D57D  8EF6 C0B2 DECF EC20 6021
>
>  
>
McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g. 
Other than that, they have no information besides that they first 
noticed it on 5/26/2004.

It may spread through lsass, but this type of worm is usually limited to 
spreading through network shares with weak password protection.

Jerry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html