[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: Bojan.Zdrnja at LSS.hr (Bojan Zdrnja)
Subject: Backdoor.Sdbot.N Question
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
> James Patterson Wicks
> Sent: Tuesday, 9 September 2003 8:18 a.m.
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Backdoor.Sdbot.N Question
>
>
> Anyone know how Backdoor.Sdbot.N spreads? This morning we
> had several users pop up with this trojan (or a new variant).
> These users generated a ton of traffic until their machines
> were unplugged from the network. There systems have all the
> markers for the Backdoor.Sdbot.N trojan (registry entries,
> etc), but was not picked up by the Norton virus scan. In
> fact, even it you perform a manual scan after the trojan was
> discovered, it is still not detected in the scan.
As far as I saw on couple of systems, usually it's downloaded by separate
worm/tool/whatever.
Mimail (which some companies detect as TrojanDropper.JS.Mimail.b), for
example, will download and execute a file from a particular website. That
file can (of course) be Backdoor.Sdbot.
Also, I saw several instances of Backdoor.Coreflood trojan on some client
machines. They got this trojan when users went to Web sites which had a
VBScript which in turn is a dropper for the trojan. Those scripts usually
use the vulnerability described in MS03-032.
> I would also like to know if this is also an indicator of not
> having the patch for the Blaster worm.
Probably not - I suspect they went to some Web site which had dropper
Vbscript on it.
Regards,
Bojan Zdrnja
Powered by blists - more mailing lists