Full Disclosure mailing list archives

RE: Backdoor.Sdbot.N Question

From: "Jade E. Deane" <jade.deane () riven net>
Date: 08 Sep 2003 19:02:06 -0500

Put a sniffer on the offending workstations, see what you get.

Regards,
Jade

On Mon, 2003-09-08 at 17:59, James Patterson Wicks wrote:

Update:  Looked at the firewall and saw that some systems were trying to contact outside systems on ports 135 and 
445.  It looks and acts like "W32.HLLW.Gaobot.AA", but it would have to be some sort of variant due to the change in 
the file names.  Whatdoyathink?

-----Original Message-----
From: James Patterson Wicks 
Sent: Monday, September 08, 2003 4:18 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Backdoor.Sdbot.N Question

Anyone know how Backdoor.Sdbot.N spreads?  This morning we had several users pop up with this trojan (or a new 
variant).  These users generated a ton of traffic until their machines were unplugged from the network.  There 
systems have all the markers for the Backdoor.Sdbot.N trojan (registry entries, etc), but was not picked up by the 
Norton virus scan.  In fact, even it you perform a manual scan after the trojan was discovered, it is still not 
detected in the scan.

I would also like to know if this is also an indicator of not having the patch for the Blaster worm.

This e-mail is the property of Oxygen Media, LLC.  It is intended only for the person or entity to which it is 
addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. 
Distribution or copying of this e-mail or the information contained herein by anyone other than the intended 
recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail 
to postmaster () oxygen com and destroy all electronic and paper copies of this e-mail.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 

PGP Public Key:  http://www.riven.net/~moose/key.asc
Key fingerprint = C497 1FEC 6FC4 6896 6AB5  9A26 71DF 521B 0612 D1B8

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Backdoor.Sdbot.N Question James Patterson Wicks (Sep 08)
- RE: Backdoor.Sdbot.N Question Bojan Zdrnja (Sep 08)
- Re: Backdoor.Sdbot.N Question Nick FitzGerald (Sep 08)
- <Possible follow-ups>
- RE: Backdoor.Sdbot.N Question James Patterson Wicks (Sep 08)
  - RE: Backdoor.Sdbot.N Question Jade E. Deane (Sep 08)
  - Re: Backdoor.Sdbot.N Question cseagle (Sep 09)
- RE: Backdoor.Sdbot.N Question Nick Jacobsen (Sep 08)
- RE: Backdoor.Sdbot.N Question James Patterson Wicks (Sep 09)