| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Law11-OE17jA0gFawJ80003210e@hotmail.com> From: se_cur_ity at hotmail.com (morning_wood) Subject: Fw: Virus, whether the scanners say so or not? ----- Original Message ----- From: "morning_wood" <se_cur_ity@...mail.com> To: "Scott Phelps / Dreamwright Studios" <scottp@...amwright.com> Sent: Monday, September 01, 2003 8:37 AM Subject: Re: [Full-Disclosure] Virus, whether the scanners say so or not? > let us find some function and the fun strings in your wupdated.exe sample. > YOU DONT NEED A AV TO TELL YOU THE FUNCTIONS > OR THAT IT IS A TROJAN / WORM > > and the correct identification is sdbot5b, this is a trojan worm bot > compiled from c sources with lcc. > > the servers connecting and controled are > sm0k3.ath.cx - 27.0.0.1 > fewl.ath.cx - 127.0.0.1 > > irc channels #keke0394l and #emohtob ( bothome backwards ) > > > sdbot 0.5b with SYN flood by [sd] > > notes: > --------- snip -------------- > 0000ED7C 0042837C 0 sm0k3.ath.cx > 0000EDA6 004283A6 0 fewl.ath.cx > > > 0000EFAC 004285AC 0 SYNFlood > 0000EFE4 004285E4 0 irc_connect > 00010233 00429833 0 jamesbrown > > 00010523 00429B23 0 \IPC$ > 0001052E 00429B2E 0 net use * "%s" "%s" /user:"%s" > 0001058D 00429B8D 0 [SCANNING] Address: %s Port: 139 > 00010695 00429C95 0 lcc runtime: GP fault. Stack trace > ------------- snip ----------- > > do some detecvtive work , did you even try to load it in notepad? > the above was obtained via "bintext" by Foundstone viewing the binary. > > Donnie Werner > http://e2-labs.com > http://exploitlabs.com > > > > >
Powered by blists - more mailing lists