PROTECTED] Behalf Of Harlan
Carvey
Sent: Thursday, June 03, 2004 2:26 PM
To: [EMAIL PROTECTED]
Cc: Perrymon, Josh L.
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?
Josh,
> I would like to know the attack vectors. I'm
> guessing LSASS.
If you don't know what the
"Perrymon, Josh L." wrote:
>
> I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
> Doesn't look like it propagates to other machines but rather communicates
> with a compromised
> web companies server using IRC. The compromised server has removed the IRC
> service. Only sends RS
Josh,
I tried to download the archive, and McAfee alerted me
to "W32/Sdbot.worm.gen.g".
From:
http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html
"W32/SdBot-CF spreads to other computers on the local
network protected by weak passwords."
> I found this worm/ trojan on a laptop. Ran FPort
2004 2:41 PM
To: 'insecure'; Perrymon, Josh L.
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] anyone seen this worm/trojan before?
I was guessing about LSASS because that was the only patch not on the box
that was infected.
The user also had a pass with a couple #'s in it so I didn&
Josh,
> I would like to know the attack vectors. I'm
> guessing LSASS.
If you don't know what the worm is, what would lead
you to guess that the infection vector is LSASS? Is
there some other piece of information that you're not sharing?
___
Full-Disc
On Jun 3, 2004, at 1:54 PM, Perrymon, Josh L. wrote:
I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
Doesn't look like it propagates to other machines but rather
communicates
with a compromised
web companies server using IRC. The compromised server has removed the
IRC
servi
MAIL PROTECTED]
Sent: Thursday, June 03, 2004 2:27 PM
To: Perrymon, Josh L.
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?
Perrymon, Josh L. wrote:
>I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
>Doesn't look like it propagat
EMAIL PROTECTED]
Cc: Perrymon, Josh L.
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before?
Josh,
I tried to download the archive, and McAfee alerted me
to "W32/Sdbot.worm.gen.g".
From:
http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html
"W32/SdBot-CF spreads to ot
Perrymon, Josh L. wrote:
I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
Doesn't look like it propagates to other machines but rather communicates
with a compromised
web companies server using IRC. The compromised server has removed the IRC
service. Only sends RST packets back