[unisog] New Bot variants making rounds

Justin Azoff JAzoff at uamail.albany.edu
Mon Apr 4 17:22:17 GMT 2005


On Mon, 2005-04-04 at 11:24 -0400, Michael Holstein wrote:
> Heads up .. found two new ones :
> 
> #1 :
> 
> winsr.exe (and aws.exe and winsr[1-9].exe -- all same size/md5)
> 24576 bytes
> MD5:  8e9f719161adb6feab6a1cea40d066ec
> 
> Virustotal.com reports PandaAV detecting as GAOBOT. Nobody else finds 
> anything.
> 
> In all cases, found it unhidden in C:\
> 
> #2 :
> 
> srv32.exe
> 47104 bytes
> MD5: 2ac6f952f764d6f06fc7665cee023a74
> 
> Virustotal.com reports Kaspersky and a few others (but notably NOT 
> Symantec/Mcafee) as a SDBot variant.

typical...

> In all cases, found it unhidden in %systemroot%\system32\
> 
> If anyone wants copies of these gems, email off-list and tell me how to 
> fool your AV gateway.

can you submit them to sandbox.norman.no and share the results?

> I've been catching the machines with the (very effective) "RogueIRC" 
> snort sigs from a few months back.
> 
> Happy Hunting,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University
> _______________________________________________


-- 
-- Justin Azoff
-- Network Performance Analyst



More information about the unisog mailing list