| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Bojan.Zdrnja at LSS.hr (Bojan Zdrnja) Subject: Backdoor.Sdbot.N Question > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of > James Patterson Wicks > Sent: Tuesday, 9 September 2003 8:18 a.m. > To: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] Backdoor.Sdbot.N Question > > > Anyone know how Backdoor.Sdbot.N spreads? This morning we > had several users pop up with this trojan (or a new variant). > These users generated a ton of traffic until their machines > were unplugged from the network. There systems have all the > markers for the Backdoor.Sdbot.N trojan (registry entries, > etc), but was not picked up by the Norton virus scan. In > fact, even it you perform a manual scan after the trojan was > discovered, it is still not detected in the scan. As far as I saw on couple of systems, usually it's downloaded by separate worm/tool/whatever. Mimail (which some companies detect as TrojanDropper.JS.Mimail.b), for example, will download and execute a file from a particular website. That file can (of course) be Backdoor.Sdbot. Also, I saw several instances of Backdoor.Coreflood trojan on some client machines. They got this trojan when users went to Web sites which had a VBScript which in turn is a dropper for the trojan. Those scripts usually use the vulnerability described in MS03-032. > I would also like to know if this is also an indicator of not > having the patch for the Blaster worm. Probably not - I suspect they went to some Web site which had dropper Vbscript on it. Regards, Bojan Zdrnja
Powered by blists - more mailing lists