Put a sniffer on the offending workstations, see what you get. Regards, Jade
On Mon, 2003-09-08 at 17:59, James Patterson Wicks wrote: > Update: Looked at the firewall and saw that some systems were trying to contact > outside systems on ports 135 and 445. It looks and acts like "W32.HLLW.Gaobot.AA", > but it would have to be some sort of variant due to the change in the file names. > Whatdoyathink? > > -----Original Message----- > From: James Patterson Wicks > Sent: Monday, September 08, 2003 4:18 PM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Backdoor.Sdbot.N Question > > > Anyone know how Backdoor.Sdbot.N spreads? This morning we had several users pop up > with this trojan (or a new variant). These users generated a ton of traffic until > their machines were unplugged from the network. There systems have all the markers > for the Backdoor.Sdbot.N trojan (registry entries, etc), but was not picked up by > the Norton virus scan. In fact, even it you perform a manual scan after the trojan > was discovered, it is still not detected in the scan. > > I would also like to know if this is also an indicator of not having the patch for > the Blaster worm. > > This e-mail is the property of Oxygen Media, LLC. It is intended only for the > person or entity to which it is addressed and may contain information that is > privileged, confidential, or otherwise protected from disclosure. Distribution or > copying of this e-mail or the information contained herein by anyone other than the > intended recipient is prohibited. If you have received this e-mail in error, please > immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all > electronic and paper copies of this e-mail. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- PGP Public Key: http://www.riven.net/~moose/key.asc Key fingerprint = C497 1FEC 6FC4 6896 6AB5 9A26 71DF 521B 0612 D1B8
signature.asc
Description: This is a digitally signed message part
