[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5E1F351F4AE1D611A7FE00B0D0AB064A02353291@is6b>
From: PerrymonJ at bek.com (Perrymon, Josh L.)
Subject: anyone seen this worm/trojan before?
I was guessing about LSASS because that was the only patch not on the box
that was infected.
The user also had a pass with a couple #'s in it so I didn't think it would
be found in a password list.
After watching it in a while I *Never saw it try to propagate to another
machine. That's what was weird.
So how would be get it the first time?
I had to infect him some way... But there where no other traces of it on
the network...
If I have some time I'll post the FPort data and some clean packet captures.
JP
-----Original Message-----
From: insecure [mailto:insecure@...ritech.net]
Sent: Thursday, June 03, 2004 2:27 PM
To: Perrymon, Josh L.
Cc: full-disclosure@...sys.com
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?
Perrymon, Josh L. wrote:
>I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
>Doesn't look like it propagates to other machines but rather communicates
>with a compromised
>web companies server using IRC. The compromised server has removed the IRC
>service. Only sends RST packets back.
>
>I put it on my site.
>
>http://www.packetfocus.com/analysis.htm
>
>I would like to know the attack vectors. I'm guessing LSASS.
>
>Joshua Perrymon
>PGP Fingerprint
>51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021
>
>
>
McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g.
Other than that, they have no information besides that they first
noticed it on 5/26/2004.
It may spread through lsass, but this type of worm is usually limited to
spreading through network shares with weak password protection.
Jerry
Powered by blists - more mailing lists