"Perrymon, Josh L." wrote: > > I found this worm/ trojan on a laptop. Ran FPort and found the .exe. > Doesn't look like it propagates to other machines but rather communicates > with a compromised > web companies server using IRC. The compromised server has removed the IRC > service. Only sends RST packets back. > <snip> > I would like to know the attack vectors. I'm guessing LSASS.
AntiVirus scanners identify our trojan as: BitDefender : Backdoor.SDBot.Gen Kaspersky : Backdoor.Rbot.gen McAfee : W32/Sdbot.worm.gen.g Symantec : W32.Spybot.Worm Trend Micro : WORM_SPYBOT.AP >From a quick look at the file I'd say the following is the best description of that trojan. There're several attack vectors ... http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.AP&VSect=T Regards, Axel Pettinger _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
