| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <611409750.20050211165053@axelero.hu> From: papp_geza1 at axelero.hu (Geza Papp dr (Axelero)) Subject: Spybot and SQL Hello Matthew, 2005. febru?r 11., 6:34:19, ?rtad: >>Hi All, >>Has anyone seen a spybot variant using the target machines >>IP address as the password for user SA? >> >>We don't have a name for this variant yet. I might be >>reading my captures wrong but that's what this looks like >>it's doing . >> >>I'll send captures to individuals if needed. MF> Some of our MSDE machines running the engine equivalent to SQL Server MF> 7.0 were hit a few days ago, presumably by something logging in as sa MF> with a blank password. They dropped off payloads named winlog.exe and MF> soundblaster.exe. I found information for these files on the Internet, MF> but neither one was detected by McAfee or Norton. Their fingerprints MF> looked like an Agobot variant and a Rbot/SDBot variant, respectively, MF> but as I said, neither was detected. W32/Agobot-PR is an IRC backdoor Trojan and network worm. W32/Agobot-PR spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. When first run W32/Agobot-PR copies itself to the Windows system folder as SRV325.EXE and creates the following registry entries to run itself on startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Srv325 Srv325.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Srv325 Srv325.exe Each time W32/Agobot-PR is run it attempts to connect to a remote IRC server and join a specific channel. W32/Agobot-PR then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC channels. The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically the following mappings will be appended to the HOSTS file: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com Patches for the operating system vulnerabilities exploited by W32/Agobot-PR can be obtained from Microsoft at: http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx from Sophos plc.Fri, 11 Feb 2005 14:14:39 +0000 (GMT) -- ?dv?zlettel, Geza mailto:papp_geza1@...lero.hu
Powered by blists - more mailing lists