Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re[2]: Spybot and SQL
From: "Geza Papp dr (Axelero)" <papp_geza1 () axelero hu>
Date: Fri, 11 Feb 2005 16:50:53 +0100

Hello Matthew,

2005. február 11., 6:34:19, írtad:

Hi All,
Has anyone seen a spybot variant using the target machines
IP address as the password for user SA?

We don't have a name for this variant yet. I might be
reading my captures wrong but that's what this looks like
it's doing .

I'll send captures to individuals if needed.

MF> Some of our MSDE machines running the engine equivalent to SQL Server
MF> 7.0 were hit a few days ago, presumably by something logging in as sa
MF> with a blank password.  They dropped off payloads named winlog.exe and
MF> soundblaster.exe.  I found information for these files on the Internet,
MF> but neither one was detected by McAfee or Norton.  Their fingerprints
MF> looked like an Agobot variant and a Rbot/SDBot variant, respectively,
MF> but as I said, neither was detected.

W32/Agobot-PR is an IRC backdoor Trojan and network worm.

W32/Agobot-PR spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, 
exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by 
other worms or Trojans.

When first run W32/Agobot-PR copies itself to the Windows system folder as SRV325.EXE and creates the following 
registry entries to run itself on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Srv325
Srv325.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Srv325
Srv325.exe

Each time W32/Agobot-PR is run it attempts to connect to a remote IRC server and join a specific channel.

W32/Agobot-PR then runs continuously in the background, allowing a remote intruder to access and control the computer 
via IRC channels.

The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS 
file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 
127.0.0.1 in an attempt to prevent access to these sites. Typically the following mappings will be appended to the 
HOSTS file:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

Patches for the operating system vulnerabilities exploited by W32/Agobot-PR can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx

from Sophos plc.Fri, 11 Feb 2005 14:14:39 +0000 (GMT)

-- 
Üdvözlettel,
 Geza                            mailto:papp_geza1 () axelero hu


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault