I was guessing about LSASS because that was the only patch not on the box that was infected. The user also had a pass with a couple #'s in it so I didn't think it would be found in a password list.
After watching it in a while I *Never saw it try to propagate to another machine. That's what was weird. So how would be get it the first time? I had to infect him some way... But there where no other traces of it on the network... If I have some time I'll post the FPort data and some clean packet captures. JP -----Original Message----- From: insecure [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 2:27 PM To: Perrymon, Josh L. Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] anyone seen this worm/trojan before? Perrymon, Josh L. wrote: >I found this worm/ trojan on a laptop. Ran FPort and found the .exe. >Doesn't look like it propagates to other machines but rather communicates >with a compromised >web companies server using IRC. The compromised server has removed the IRC >service. Only sends RST packets back. > >I put it on my site. > >http://www.packetfocus.com/analysis.htm > >I would like to know the attack vectors. I'm guessing LSASS. > >Joshua Perrymon >PGP Fingerprint >51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021 > > > McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g. Other than that, they have no information besides that they first noticed it on 5/26/2004. It may spread through lsass, but this type of worm is usually limited to spreading through network shares with weak password protection. Jerry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
