Full Disclosure mailing list archives

Re: anyone seen this worm/trojan before?

From: Axel Pettinger <api () epost de>
Date: Fri, 04 Jun 2004 00:08:23 +0200

"Perrymon, Josh L." wrote:


I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
Doesn't look like it propagates to other machines but rather communicates
with a compromised
web companies server using IRC. The compromised server has removed the IRC
service. Only sends RST packets back.

<snip>

I would like to know the attack vectors. I'm guessing LSASS.


AntiVirus scanners identify our trojan as:

BitDefender : Backdoor.SDBot.Gen
Kaspersky   : Backdoor.Rbot.gen
McAfee      : W32/Sdbot.worm.gen.g 
Symantec    : W32.Spybot.Worm 
Trend Micro : WORM_SPYBOT.AP

From a quick look at the file I'd say the following is the best

description of that trojan. There're several attack vectors ...

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.AP&VSect=T

Regards,
Axel Pettinger

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
- Re: anyone seen this worm/trojan before? Joshua Levitsky (Jun 03)
- Re: anyone seen this worm/trojan before? insecure (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
  - RE: anyone seen this worm/trojan before? Jim Becher (Jun 04)
- Re: anyone seen this worm/trojan before? Axel Pettinger (Jun 03)
- <Possible follow-ups>
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)