[unisog] New Bot variants making rounds

Michael Holstein michael.holstein at csuohio.edu
Mon Apr 4 15:24:49 GMT 2005


Heads up .. found two new ones :

#1 :

winsr.exe (and aws.exe and winsr[1-9].exe -- all same size/md5)
24576 bytes
MD5:  8e9f719161adb6feab6a1cea40d066ec

Virustotal.com reports PandaAV detecting as GAOBOT. Nobody else finds 
anything.

In all cases, found it unhidden in C:\

#2 :

srv32.exe
47104 bytes
MD5: 2ac6f952f764d6f06fc7665cee023a74

Virustotal.com reports Kaspersky and a few others (but notably NOT 
Symantec/Mcafee) as a SDBot variant.

In all cases, found it unhidden in %systemroot%\system32\

If anyone wants copies of these gems, email off-list and tell me how to 
fool your AV gateway.

I've been catching the machines with the (very effective) "RogueIRC" 
snort sigs from a few months back.

Happy Hunting,

Michael Holstein CISSP GCIA
Cleveland State University


More information about the unisog mailing list