----- Original Message ----- From: "morning_wood" <[EMAIL PROTECTED]> To: "Scott Phelps / Dreamwright Studios" <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 8:37 AM Subject: Re: [Full-Disclosure] Virus, whether the scanners say so or not?
> let us find some function and the fun strings in your wupdated.exe sample. > YOU DONT NEED A AV TO TELL YOU THE FUNCTIONS > OR THAT IT IS A TROJAN / WORM > > and the correct identification is sdbot5b, this is a trojan worm bot > compiled from c sources with lcc. > > the servers connecting and controled are > sm0k3.ath.cx - 27.0.0.1 > fewl.ath.cx - 127.0.0.1 > > irc channels #keke0394l and #emohtob ( bothome backwards ) > > > sdbot 0.5b with SYN flood by [sd] > > notes: > --------- snip -------------- > 0000ED7C 0042837C 0 sm0k3.ath.cx > 0000EDA6 004283A6 0 fewl.ath.cx > > > 0000EFAC 004285AC 0 SYNFlood > 0000EFE4 004285E4 0 irc_connect > 00010233 00429833 0 jamesbrown > > 00010523 00429B23 0 \IPC$ > 0001052E 00429B2E 0 net use * "%s" "%s" /user:"%s" > 0001058D 00429B8D 0 [SCANNING] Address: %s Port: 139 > 00010695 00429C95 0 lcc runtime: GP fault. Stack trace > ------------- snip ----------- > > do some detecvtive work , did you even try to load it in notepad? > the above was obtained via "bintext" by Foundstone viewing the binary. > > Donnie Werner > http://e2-labs.com > http://exploitlabs.com > > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
