I read the link below and noticed that this worm must be a variant because the .exe is not the same and I don't notice and means of network scanning of propagation.
JP -----Original Message----- From: Harlan Carvey [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 2:25 PM To: [EMAIL PROTECTED] Cc: Perrymon, Josh L. Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before? Josh, I tried to download the archive, and McAfee alerted me to "W32/Sdbot.worm.gen.g". From: http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html "W32/SdBot-CF spreads to other computers on the local network protected by weak passwords." > I found this worm/ trojan on a laptop. Ran FPort and > found the .exe. I checked out your web site...don't you think that the information you found via fport would be useful to others, such as the port, etc? > Doesn't look like it propagates to other machines > but rather communicates > with a compromised > web companies server using IRC. The compromised > server has removed the IRC > service. Only sends RST packets back. > > I put it on my site. > > http://www.packetfocus.com/analysis.htm > > I would like to know the attack vectors. I'm > guessing LSASS. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
