[unisog] New Bot variants making rounds
michael.holstein at csuohio.edu
Mon Apr 4 15:24:49 GMT 2005
Heads up .. found two new ones :
winsr.exe (and aws.exe and winsr[1-9].exe -- all same size/md5)
Virustotal.com reports PandaAV detecting as GAOBOT. Nobody else finds
In all cases, found it unhidden in C:\
Virustotal.com reports Kaspersky and a few others (but notably NOT
Symantec/Mcafee) as a SDBot variant.
In all cases, found it unhidden in %systemroot%\system32\
If anyone wants copies of these gems, email off-list and tell me how to
fool your AV gateway.
I've been catching the machines with the (very effective) "RogueIRC"
snort sigs from a few months back.
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog