lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40BF7B87.2020200@ameritech.net>
From: insecure at ameritech.net (insecure)
Subject: anyone seen this worm/trojan  before?

Perrymon, Josh L. wrote:

>I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
>Doesn't look like it propagates to other machines but rather communicates
>with a compromised 
>web companies server using IRC. The compromised server has removed the IRC
>service. Only sends RST packets back.
>
>I put it on my site.
>
>http://www.packetfocus.com/analysis.htm
>
>I would like to know the attack vectors. I'm guessing LSASS.
>
>Joshua Perrymon
>PGP Fingerprint
>51B8 01AC E58B 9BFE D57D  8EF6 C0B2 DECF EC20 6021
>
>  
>
McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g. 
Other than that, they have no information besides that they first 
noticed it on 5/26/2004.

It may spread through lsass, but this type of worm is usually limited to 
spreading through network shares with weak password protection.

Jerry


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ