Full Disclosure mailing list archives
Re: anyone seen this worm/trojan before?
From: Axel Pettinger <api () epost de>
Date: Fri, 04 Jun 2004 00:08:23 +0200
"Perrymon, Josh L." wrote:
I found this worm/ trojan on a laptop. Ran FPort and found the .exe. Doesn't look like it propagates to other machines but rather communicates with a compromised web companies server using IRC. The compromised server has removed the IRC service. Only sends RST packets back.
<snip>
I would like to know the attack vectors. I'm guessing LSASS.
AntiVirus scanners identify our trojan as: BitDefender : Backdoor.SDBot.Gen Kaspersky : Backdoor.Rbot.gen McAfee : W32/Sdbot.worm.gen.g Symantec : W32.Spybot.Worm Trend Micro : WORM_SPYBOT.AP
From a quick look at the file I'd say the following is the best
description of that trojan. There're several attack vectors ... http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.AP&VSect=T Regards, Axel Pettinger _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
- Re: anyone seen this worm/trojan before? Joshua Levitsky (Jun 03)
- Re: anyone seen this worm/trojan before? insecure (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
- RE: anyone seen this worm/trojan before? Jim Becher (Jun 04)
- Re: anyone seen this worm/trojan before? Axel Pettinger (Jun 03)
- <Possible follow-ups>
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)