Thanks for all the feedback. Seems that we have W32/Gaobot.worm.aa: http://vil.nai.com/vil/content/v_100611.htm
Seems that people are picking it up in IE (according to the registry scans). Symantec does not have a fix for it yet, but they sent us a beta to try. Since it is only on a few systems, we'll give it a shot. -----Original Message----- From: cseagle [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 2:57 AM To: James Patterson Wicks Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Backdoor.Sdbot.N Question It sounds like the agobot3 ircbot/backdoor that appeared a few weeks ago on a couple of college campuses. The version I have seen installs itself as svchosl.exe and winhl32.exe. The only online writeup I can find is here and matches what I have in the lab: http://www.trendmicro.com.cn/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.P&VSect=T Chris James Patterson Wicks wrote: >Update: Looked at the firewall and saw that some systems were trying to contact >outside systems on ports 135 and 445. It looks and acts like "W32.HLLW.Gaobot.AA", >but it would have to be some sort of variant due to the change in the file names. >Whatdoyathink? > >-----Original Message----- >From: James Patterson Wicks >Sent: Monday, September 08, 2003 4:18 PM >To: [EMAIL PROTECTED] >Subject: [Full-Disclosure] Backdoor.Sdbot.N Question > > >Anyone know how Backdoor.Sdbot.N spreads? This morning we had several users pop up >with this trojan (or a new variant). These users generated a ton of traffic until >their machines were unplugged from the network. There systems have all the markers >for the Backdoor.Sdbot.N trojan (registry entries, etc), but was not picked up by the >Norton virus scan. In fact, even it you perform a manual scan after the trojan was >discovered, it is still not detected in the scan. > >I would also like to know if this is also an indicator of not having the patch for >the Blaster worm. > >This e-mail is the property of Oxygen Media, LLC. It is intended only for the person >or entity to which it is addressed and may contain information that is privileged, >confidential, or otherwise protected from disclosure. Distribution or copying of this >e-mail or the information contained herein by anyone other than the intended >recipient is prohibited. If you have received this e-mail in error, please >immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all >electronic and paper copies of this e-mail. > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > >. > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
