[unisog] New Bot variants making rounds
JAzoff at uamail.albany.edu
Mon Apr 4 17:22:17 GMT 2005
On Mon, 2005-04-04 at 11:24 -0400, Michael Holstein wrote:
> Heads up .. found two new ones :
> #1 :
> winsr.exe (and aws.exe and winsr[1-9].exe -- all same size/md5)
> 24576 bytes
> MD5: 8e9f719161adb6feab6a1cea40d066ec
> Virustotal.com reports PandaAV detecting as GAOBOT. Nobody else finds
> In all cases, found it unhidden in C:\
> #2 :
> 47104 bytes
> MD5: 2ac6f952f764d6f06fc7665cee023a74
> Virustotal.com reports Kaspersky and a few others (but notably NOT
> Symantec/Mcafee) as a SDBot variant.
> In all cases, found it unhidden in %systemroot%\system32\
> If anyone wants copies of these gems, email off-list and tell me how to
> fool your AV gateway.
can you submit them to sandbox.norman.no and share the results?
> I've been catching the machines with the (very effective) "RogueIRC"
> snort sigs from a few months back.
> Happy Hunting,
> Michael Holstein CISSP GCIA
> Cleveland State University
-- Justin Azoff
-- Network Performance Analyst
More information about the unisog