--__--__-- >Message: 21 >Date: Fri, 04 Jun 2004 00:08:23 +0200 >From: Axel Pettinger <[EMAIL PROTECTED]> >Organization: API >To: "Perrymon, Josh L." <[EMAIL PROTECTED]>, [EMAIL PROTECTED] >Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?
>"Perrymon, Josh L." wrote: >> >> I found this worm/ trojan on a laptop. Ran FPort and found the .exe. >> Doesn't look like it propagates to other machines but rather communicates >> with a compromised >> web companies server using IRC. The compromised server has removed the IRC >> service. Only sends RST packets back. >> ><snip> >> I would like to know the attack vectors. I'm guessing LSASS. >AntiVirus scanners identify our trojan as: >BitDefender : Backdoor.SDBot.Gen >Kaspersky : Backdoor.Rbot.gen >McAfee : W32/Sdbot.worm.gen.g >Symantec : W32.Spybot.Worm >Trend Micro : WORM_SPYBOT.AP >From a quick look at the file I'd say the following is the best >description of that trojan. There're several attack vectors ... >http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT .AP&VSect=T >Regards, >Axel Pettinger I'd like to throw something in here. While scanning with Spybot 1.3 it came to a halt with an error. The error was an "Xabot" error. After many attempts to figure this out I searched Xabot. This lead to Symantics site http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html and http://www.sophos.com/virusinfo/analyses/w32sdbotna.html where it is associated with Sdbot. Well, for sure I am having a hell of a time finding it as all conventional means have failed. 3 online scans. 3 scans in safe mode. Hijack This, Swat-it, Bazooka and still Spybot is halted with the error. I uninstalled Spybot three times. It seems I have a remnant somewhere. thank you Randall M _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html