mailing list archives
Re: Spybot and SQL
From: "Geza Papp dr (Axelero)" <papp_geza1 () axelero hu>
Date: Fri, 11 Feb 2005 16:50:53 +0100
2005. február 11., 6:34:19, írtad:
Has anyone seen a spybot variant using the target machines
IP address as the password for user SA?
We don't have a name for this variant yet. I might be
reading my captures wrong but that's what this looks like
it's doing .
I'll send captures to individuals if needed.
MF> Some of our MSDE machines running the engine equivalent to SQL Server
MF> 7.0 were hit a few days ago, presumably by something logging in as sa
MF> with a blank password. They dropped off payloads named winlog.exe and
MF> soundblaster.exe. I found information for these files on the Internet,
MF> but neither one was detected by McAfee or Norton. Their fingerprints
MF> looked like an Agobot variant and a Rbot/SDBot variant, respectively,
MF> but as I said, neither was detected.
W32/Agobot-PR is an IRC backdoor Trojan and network worm.
W32/Agobot-PR spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers,
exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by
other worms or Trojans.
When first run W32/Agobot-PR copies itself to the Windows system folder as SRV325.EXE and creates the following
registry entries to run itself on startup:
Each time W32/Agobot-PR is run it attempts to connect to a remote IRC server and join a specific channel.
W32/Agobot-PR then runs continuously in the background, allowing a remote intruder to access and control the computer
via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS
file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address
127.0.0.1 in an attempt to prevent access to these sites. Typically the following mappings will be appended to the
Patches for the operating system vulnerabilities exploited by W32/Agobot-PR can be obtained from Microsoft at:
from Sophos plc.Fri, 11 Feb 2005 14:14:39 +0000 (GMT)
Geza mailto:papp_geza1 () axelero hu
Full-Disclosure - We believe in it.