[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: [Full-Disclosure] Spybot and SQL
- To: "Matthew Farrenkopf" <farrenkm@xxxxxxxx>
- Subject: Re[2]: [Full-Disclosure] Spybot and SQL
- From: "Geza Papp dr (Axelero)" <papp_geza1@xxxxxxxxxx>
- Date: Fri, 11 Feb 2005 16:50:53 +0100
Hello Matthew,
2005. február 11., 6:34:19, írtad:
>>Hi All,
>>Has anyone seen a spybot variant using the target machines
>>IP address as the password for user SA?
>>
>>We don't have a name for this variant yet. I might be
>>reading my captures wrong but that's what this looks like
>>it's doing .
>>
>>I'll send captures to individuals if needed.
MF> Some of our MSDE machines running the engine equivalent to SQL Server
MF> 7.0 were hit a few days ago, presumably by something logging in as sa
MF> with a blank password. They dropped off payloads named winlog.exe and
MF> soundblaster.exe. I found information for these files on the Internet,
MF> but neither one was detected by McAfee or Norton. Their fingerprints
MF> looked like an Agobot variant and a Rbot/SDBot variant, respectively,
MF> but as I said, neither was detected.
W32/Agobot-PR is an IRC backdoor Trojan and network worm.
W32/Agobot-PR spreads using a variety of techniques including exploiting weak
passwords on computers and SQL servers, exploiting operating system
vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using
backdoors opened by other worms or Trojans.
When first run W32/Agobot-PR copies itself to the Windows system folder as
SRV325.EXE and creates the following registry entries to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Srv325
Srv325.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Srv325
Srv325.exe
Each time W32/Agobot-PR is run it attempts to connect to a remote IRC server
and join a specific channel.
W32/Agobot-PR then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and
security-related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to
the loopback address 127.0.0.1 in an attempt to prevent access to these sites.
Typically the following mappings will be appended to the HOSTS file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Patches for the operating system vulnerabilities exploited by W32/Agobot-PR can
be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
from Sophos plc.Fri, 11 Feb 2005 14:14:39 +0000 (GMT)
--
Üdvözlettel,
Geza mailto:papp_geza1@xxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html