lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: pwicks at oxygen.com (James Patterson Wicks)
Subject: Backdoor.Sdbot.N Question

Thanks for all the feedback.  Seems that we have W32/Gaobot.worm.aa: http://vil.nai.com/vil/content/v_100611.htm

Seems that people are picking it up in IE (according to the registry scans).  Symantec does not have a fix for it yet, but they sent us a beta to try.  Since it is only on a few systems, we'll give it a shot.  

-----Original Message-----
From: cseagle [mailto:cseagle@...shift.com]
Sent: Tuesday, September 09, 2003 2:57 AM
To: James Patterson Wicks
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Backdoor.Sdbot.N Question


It sounds like the agobot3 ircbot/backdoor that appeared a few weeks ago 
on a couple of college campuses.  The version I have seen installs 
itself as svchosl.exe and winhl32.exe. The only online writeup I can 
find is here and matches what I have in the lab:

http://www.trendmicro.com.cn/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.P&VSect=T

Chris

James Patterson Wicks wrote:

>Update:  Looked at the firewall and saw that some systems were trying to contact outside systems on ports 135 and 445.  It looks and acts like "W32.HLLW.Gaobot.AA", but it would have to be some sort of variant due to the change in the file names.  Whatdoyathink?
>
>-----Original Message-----
>From: James Patterson Wicks 
>Sent: Monday, September 08, 2003 4:18 PM
>To: full-disclosure@...ts.netsys.com
>Subject: [Full-Disclosure] Backdoor.Sdbot.N Question
>
>
>Anyone know how Backdoor.Sdbot.N spreads?  This morning we had several users pop up with this trojan (or a new variant).  These users generated a ton of traffic until their machines were unplugged from the network.  There systems have all the markers for the Backdoor.Sdbot.N trojan (registry entries, etc), but was not picked up by the Norton virus scan.  In fact, even it you perform a manual scan after the trojan was discovered, it is still not detected in the scan.
>
>I would also like to know if this is also an indicator of not having the patch for the Blaster worm.
>
>This e-mail is the property of Oxygen Media, LLC.  It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to postmaster@...gen.com and destroy all electronic and paper copies of this e-mail.
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>.
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ