> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > James Patterson Wicks > Sent: Tuesday, 9 September 2003 8:18 a.m. > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Backdoor.Sdbot.N Question > > > Anyone know how Backdoor.Sdbot.N spreads? This morning we > had several users pop up with this trojan (or a new variant). > These users generated a ton of traffic until their machines > were unplugged from the network. There systems have all the > markers for the Backdoor.Sdbot.N trojan (registry entries, > etc), but was not picked up by the Norton virus scan. In > fact, even it you perform a manual scan after the trojan was > discovered, it is still not detected in the scan.
As far as I saw on couple of systems, usually it's downloaded by separate worm/tool/whatever. Mimail (which some companies detect as TrojanDropper.JS.Mimail.b), for example, will download and execute a file from a particular website. That file can (of course) be Backdoor.Sdbot. Also, I saw several instances of Backdoor.Coreflood trojan on some client machines. They got this trojan when users went to Web sites which had a VBScript which in turn is a dropper for the trojan. Those scripts usually use the vulnerability described in MS03-032. > I would also like to know if this is also an indicator of not > having the patch for the Blaster worm. Probably not - I suspect they went to some Web site which had dropper Vbscript on it. Regards, Bojan Zdrnja _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
