lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <40BFA157.74EA20E1@epost.de>
From: api at epost.de (Axel Pettinger)
Subject: anyone seen this worm/trojan  before?

"Perrymon, Josh L." wrote:
> 
> I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
> Doesn't look like it propagates to other machines but rather communicates
> with a compromised
> web companies server using IRC. The compromised server has removed the IRC
> service. Only sends RST packets back.
> 
<snip>
> I would like to know the attack vectors. I'm guessing LSASS.

AntiVirus scanners identify our trojan as:

BitDefender : Backdoor.SDBot.Gen
Kaspersky   : Backdoor.Rbot.gen
McAfee      : W32/Sdbot.worm.gen.g 
Symantec    : W32.Spybot.Worm 
Trend Micro : WORM_SPYBOT.AP

>From a quick look at the file I'd say the following is the best 
description of that trojan. There're several attack vectors ...

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.AP&VSect=T

Regards,
Axel Pettinger

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ