Full Disclosure mailing list archives

Re: anyone seen this worm/trojan before?

From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 3 Jun 2004 12:24:36 -0700 (PDT)

Josh, 

I tried to download the archive, and McAfee alerted me
to "W32/Sdbot.worm.gen.g".

From:
http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html

"W32/SdBot-CF spreads to other computers on the local
network protected by weak passwords."

I found this worm/ trojan on a laptop. Ran FPort and
found the .exe.


I checked out your web site...don't you think that the
information you found via fport would be useful to
others, such as the port, etc?

Doesn't look like it propagates to other machines
but rather communicates
with a compromised 
web companies server using IRC. The compromised
server has removed the IRC
service. Only sends RST packets back.

I put it on my site.

http://www.packetfocus.com/analysis.htm

I would like to know the attack vectors. I'm
guessing LSASS.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
- Re: anyone seen this worm/trojan before? Joshua Levitsky (Jun 03)
- Re: anyone seen this worm/trojan before? insecure (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
  - RE: anyone seen this worm/trojan before? Jim Becher (Jun 04)
- Re: anyone seen this worm/trojan before? Axel Pettinger (Jun 03)
- <Possible follow-ups>
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)