lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5C1469BE-B593-11D8-9685-000A958E4F56@joshie.com>
From: jlevitsk at joshie.com (Joshua Levitsky)
Subject: anyone seen this worm/trojan  before?

On Jun 3, 2004, at 1:54 PM, Perrymon, Josh L. wrote:

> I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
> Doesn't look like it propagates to other machines but rather  
> communicates
> with a compromised
> web companies server using IRC. The compromised server has removed the  
> IRC
> service. Only sends RST packets back.
>
> I put it on my site.
>
> http://www.packetfocus.com/analysis.htm
>
> I would like to know the attack vectors. I'm guessing LSASS.
>

It's a variant of W32.Spybot.Worm aparently. Symantec AntiVirus Defs as  
of 6/3/04 Rev 36 (just created) detect it.

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/ 
norton_antivirus/rapidrelease/symcrapidreleasedefsi32.exe


-Josh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ