lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200406042330.i54NUBv04878@netsys.com>
From: randallm at fidmail.com (RandallM)
Subject: xabot or sdbot or spybot...

--__--__--

>Message: 21
>Date: Fri, 04 Jun 2004 00:08:23 +0200
>From: Axel Pettinger <api@...st.de>
>Organization: API
>To: "Perrymon, Josh L." <PerrymonJ@....com>, full-disclosure@...sys.com
>Subject: Re: [Full-Disclosure] anyone seen this worm/trojan  before?

>"Perrymon, Josh L." wrote:
>> 
>> I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
>> Doesn't look like it propagates to other machines but rather communicates
>> with a compromised
>> web companies server using IRC. The compromised server has removed the
IRC
>> service. Only sends RST packets back.
>> 
><snip>
>> I would like to know the attack vectors. I'm guessing LSASS.

>AntiVirus scanners identify our trojan as:

>BitDefender : Backdoor.SDBot.Gen
>Kaspersky   : Backdoor.Rbot.gen
>McAfee      : W32/Sdbot.worm.gen.g 
>Symantec    : W32.Spybot.Worm 
>Trend Micro : WORM_SPYBOT.AP

>From a quick look at the file I'd say the following is the best 
>description of that trojan. There're several attack vectors ...

>http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT
.AP&VSect=T

>Regards,
>Axel Pettinger



I'd like to throw something in here. While scanning with Spybot 1.3 it came
to a halt with an error. The error was an
"Xabot" error. After many attempts to figure this out I searched Xabot. This
lead to Symantics site 
http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html
and http://www.sophos.com/virusinfo/analyses/w32sdbotna.html where it is
associated with Sdbot. 

Well, for sure I am having a hell of a time finding it as all conventional
means have failed. 3 online scans. 3 scans in safe mode. Hijack This,
Swat-it, Bazooka and still Spybot is halted with the error. I uninstalled
Spybot three times. It seems I have a remnant somewhere.

thank you
Randall M
?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ