[unisog] New Bot variants making rounds

Michael Holstein michael.holstein at csuohio.edu
Mon Apr 4 16:04:00 GMT 2005


For those of you that use McAfee A/V : here is an EXTRA.DAT to deal with 
  these guys.

Michael Holstein CISSP GCIA
Cleveland State University

> Heads up .. found two new ones :
> 
> #1 :
> 
> winsr.exe (and aws.exe and winsr[1-9].exe -- all same size/md5)
> 24576 bytes
> MD5:  8e9f719161adb6feab6a1cea40d066ec
> 
> Virustotal.com reports PandaAV detecting as GAOBOT. Nobody else finds 
> anything.
> 
> In all cases, found it unhidden in C:\
> 
> #2 :
> 
> srv32.exe
> 47104 bytes
> MD5: 2ac6f952f764d6f06fc7665cee023a74
> 
> Virustotal.com reports Kaspersky and a few others (but notably NOT 
> Symantec/Mcafee) as a SDBot variant.
> 
> In all cases, found it unhidden in %systemroot%\system32\
> 
> If anyone wants copies of these gems, email off-list and tell me how to 
> fool your AV gateway.
> 
> I've been catching the machines with the (very effective) "RogueIRC" 
> snort sigs from a few months back.
> 
> Happy Hunting,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 
-------------- next part --------------
 620 178 156 179  77  51 218 128  63  28 222 215 111  92 249 157
 122  92 255 222  49 150 132  45 104 226  42 188   2 195  19 214
 168  59   5 188   2  60 130  65  43  87  40 181  23  60 130 188
   2  29  40 181  16  60 130 188   2  29  40 181  18  60 130 188
   2  29  40 181  19  60 130 188   2  29  40 181  22  60 130 188
   2  29  40 184 200 106  39 160 173  60 130 188   2  19 232  22
  10 195 163 250  43 122  44 126 168  59 125 157  68  40  56   0
 225 150  40 187 253  29 196 169 152  31  97  22 168  56 193 188
   2  60 215 188   2  60  40  22 168 150 133 174   2  60 130 188
 194 150  64  22   5 126  44  22 168 150 130 118  67 150 133 174
 168  22  96  22 192 205 109  22   7 197 125 157  64  60 130 188
   2 155  34  22  11 243 195  23 163 156 248  22  11  19 235  25
  11 107  39  22  11 154 166 253 170  46  13  22   9  47  71  19
 168 150 137 157 107 149 235  22   8 126  13  23 168 150  40 186
 200 126  40  22 168 150 112 155   0 150 132  91 242   6  40  21
 168 150  40  18 184  61 114 178   9  51 140  10  14  51 141 179
  12 209 140  76 166  61 114 178   9  51 140  10  14  51 141 179
  12 209 140 112 242  48 102 178 200 242 138 156  13 126  41  22
 168 150 114 176 230  50  72   6  30  12 141 182  15  49 102 178
  15 216 140 177 230  50 143  88  15  49 102 177 242  53 102 183
 253  29 196 124 204  33   2 179 107 165 232 114  87 166  76 159
 136  10 168  90 140 151  41 139 121 204 140 199 189  49  45 173
 232  35  13 199 105  83 192 212 188 105  13 115  20  62  13 236
 110 162  14 177  13 195  40 163  70 143  90 109 236 247 116 210
  27 187 145  54 228 219  39 226   0  54  15 187  14  87 236 222
 252  35 114 140 143  59 142 215 108  94  65 176 242  12  15 187
  14  87 236 222 154  97 114 140 242  61 104 191  14  87 236 222
  75 191 209 132 162 112 142 179 143  57 136 212 104  93 163 223
  13  51 140 179  25 204 140 222  67 204  22  19 148 164 141 179
  12 164 141 179  13 127 140 179  20  51 154 179  94  92 235 199
 122  82 255 214  81 126 228 208 127  92 254 220 107  71 209 252
  65 118 141 247  13  51 141 179  78  99 141 218  13  76 140 179
  12  22  12 204  14  51 140 150 140  76 143 179  12  22  12 204
   9  51 140 150 140  76 143 179 140  76 140 179 140  76 141 179
 140  76 142 179  12  22  12 204  13  51 140 150 140  76 136 179
  12  22  12 204  15  51 140 150 140  76 143 179  12  20  12 204
  12  51 140 150 140  76 141 179 140  76 140 179 140  76 141 179
   6  50 141 179 141   4 141 179  17  63 141 193   5  51 141 179
  13  47 141 179 127 178 242 126  15  52 141 253  10
53042 256   12953  336  W32/Sdbot.worm



More information about the unisog mailing list