lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5E1F351F4AE1D611A7FE00B0D0AB064A02353292@is6b>
From: PerrymonJ at bek.com (Perrymon, Josh L.)
Subject: anyone seen this worm/trojan  before?

I read the link below and noticed that this worm must be a variant because
the .exe is not the same and I don't notice and means of network scanning of
propagation.


JP

-----Original Message-----
From: Harlan Carvey [mailto:keydet89@...oo.com]
Sent: Thursday, June 03, 2004 2:25 PM
To: full-disclosure@...sys.com
Cc: Perrymon, Josh L.
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?


Josh, 

I tried to download the archive, and McAfee alerted me
to "W32/Sdbot.worm.gen.g".

From:
http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html

"W32/SdBot-CF spreads to other computers on the local
network protected by weak passwords."

> I found this worm/ trojan on a laptop. Ran FPort and
> found the .exe.

I checked out your web site...don't you think that the
information you found via fport would be useful to
others, such as the port, etc?

> Doesn't look like it propagates to other machines
> but rather communicates
> with a compromised 
> web companies server using IRC. The compromised
> server has removed the IRC
> service. Only sends RST packets back.
> 
> I put it on my site.
> 
> http://www.packetfocus.com/analysis.htm
> 
> I would like to know the attack vectors. I'm
> guessing LSASS.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ