[unisog] More: Bot outbreak exploiting SYM06-010

Brian Eckman eckman at umn.edu
Tue Nov 28 19:40:14 GMT 2006


Symantec is calling it W32.Spybot.ACYR

http://www.symantec.com/security_response/writeup.jsp?docid=2006-112810-5302-99

FWIW, I did not observe exactly what they say, but it is still much more
accurate than most of their writeups. They generally don't give each
variant its own description - even this one was initially being detected
as "W32.Spybot.Worm".

Robert Lemos wrote an article about the outbreak - its at
http://www.securityfocus.com/news/11426/1 for those who are interested.

Thanks,
Brian

Liu, David wrote:
> Any idea on if the malware info has been m,ade public on the Symantrec
> site? 
> 
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Brian Eckman
> Sent: Monday, November 27, 2006 7:02 PM
> To: UNIversity Security Operations Group
> Subject: [unisog] More: Bot outbreak exploiting SYM06-010
> 
> We had a number of hosts become infected with an IRC bot today that used
> www.flackware.info as the Command and Control. Here is information that
> I know so far:

<snip>

-- 
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance


More information about the unisog mailing list