Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re[2]: Spybot and SQL
From: "Geza Papp dr (Axelero)" <papp_geza1 () axelero hu>
Date: Fri, 11 Feb 2005 16:50:53 +0100

Hello Matthew,

2005. február 11., 6:34:19, írtad:

Hi All,
Has anyone seen a spybot variant using the target machines
IP address as the password for user SA?

We don't have a name for this variant yet. I might be
reading my captures wrong but that's what this looks like
it's doing .

I'll send captures to individuals if needed.

MF> Some of our MSDE machines running the engine equivalent to SQL Server
MF> 7.0 were hit a few days ago, presumably by something logging in as sa
MF> with a blank password.  They dropped off payloads named winlog.exe and
MF> soundblaster.exe.  I found information for these files on the Internet,
MF> but neither one was detected by McAfee or Norton.  Their fingerprints
MF> looked like an Agobot variant and a Rbot/SDBot variant, respectively,
MF> but as I said, neither was detected.

W32/Agobot-PR is an IRC backdoor Trojan and network worm.

W32/Agobot-PR spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, 
exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by 
other worms or Trojans.

When first run W32/Agobot-PR copies itself to the Windows system folder as SRV325.EXE and creates the following 
registry entries to run itself on startup:



Each time W32/Agobot-PR is run it attempts to connect to a remote IRC server and join a specific channel.

W32/Agobot-PR then runs continuously in the background, allowing a remote intruder to access and control the computer 
via IRC channels.

The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS 
file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address in an attempt to prevent access to these sites. Typically the following mappings will be appended to the 
HOSTS file: www.symantec.com securityresponse.symantec.com symantec.com www.sophos.com sophos.com www.mcafee.com mcafee.com liveupdate.symantecliveupdate.com www.viruslist.com viruslist.com viruslist.com f-secure.com www.f-secure.com kaspersky.com www.avp.com www.kaspersky.com avp.com www.networkassociates.com networkassociates.com www.ca.com ca.com mast.mcafee.com my-etrust.com www.my-etrust.com download.mcafee.com dispatch.mcafee.com secure.nai.com nai.com www.nai.com update.symantec.com updates.symantec.com us.mcafee.com liveupdate.symantec.com customer.symantec.com rads.mcafee.com trendmicro.com www.trendmicro.com

Patches for the operating system vulnerabilities exploited by W32/Agobot-PR can be obtained from Microsoft at:


from Sophos plc.Fri, 11 Feb 2005 14:14:39 +0000 (GMT)

 Geza                            mailto:papp_geza1 () axelero hu

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]