[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] anyone seen this worm/trojan before?

To: "Perrymon, Josh L." <PerrymonJ@xxxxxxx>
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?
From: insecure <insecure@xxxxxxxxxxxxx>
Date: Thu, 03 Jun 2004 14:27:03 -0500

Perrymon, Josh L. wrote:

I found this worm/ trojan on a laptop. Ran FPort and found the .exe. Doesn't look like it propagates to other machines but rather communicates with a compromised web companies server using IRC. The compromised server has removed the IRC service. Only sends RST packets back.

I put it on my site.

http://www.packetfocus.com/analysis.htm

I would like to know the attack vectors. I'm guessing LSASS.
Joshua Perrymon
PGP Fingerprint
51B8 01AC E58B 9BFE D57D  8EF6 C0B2 DECF EC20 6021

McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g. Other than that, they have no information besides that they first noticed it on 5/26/2004.

It may spread through lsass, but this type of worm is usually limited to spreading through network shares with weak password protection.

Jerry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] anyone seen this worm/trojan before?
  - From: Perrymon, Josh L.

Prev by Date: [Full-Disclosure] Surgemail - Multiple Vulnerabilities
Next by Date: RE: [Full-Disclosure] anyone seen this worm/trojan before?
Previous by thread: Re: [Full-Disclosure] anyone seen this worm/trojan before?
Next by thread: Re: [Full-Disclosure] anyone seen this worm/trojan before?
Index(es):
- Date
- Thread