On Jun 3, 2004, at 1:54 PM, Perrymon, Josh L. wrote:
I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
Doesn't look like it propagates to other machines but rather communicates
with a compromised
web companies server using IRC. The compromised server has removed the IRC
service. Only sends RST packets back.
I put it on my site.
http://www.packetfocus.com/analysis.htm
I would like to know the attack vectors. I'm guessing LSASS.
It's a variant of W32.Spybot.Worm aparently. Symantec AntiVirus Defs as of 6/3/04 Rev 36 (just created) detect it.
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/ norton_antivirus/rapidrelease/symcrapidreleasedefsi32.exe
-Josh
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
