-
Hey Hey:
hogfly: How is spybot any different than mydoom or sasser or anything else? It's the virus name. The worm portion as the classification.
TH13: I've been looking at this at work and we'd concluded that it was Spybot and SDBot... It may be old, but it's definately holding true to the writeups on it... Our Admins first thought that it was sasser, but when the sasser removal tools proved useless, we spent ours analyzing logs and sifting through files...
I ended up creating a half-assed workaround/fix... which I've posted @ http://www.antionline.com/showthread...hreadid=262057
It removes the questionable files and their registry entries...
I've got a few IRC Servers that they've been trying to connect to... If I get a chance tomorrow I'll dump up the information from the captures for you to glance over if you are interested.
The common link in the files we're dealing with is that they're always in system32.... they're always flooding out the lsass exploit.. but we are also seeing the rpc exploit at times.. and the names closely mimic real or seemingly-real files... The registry entry is also always a key value that seems like it's something you shouldn't touch (DirectX, Windows Update).
You can check out the batch file for more details on the specific files I've dealt with.
Peace,
HT
PS.. It's good to be posting again... Those 18-20 hours days were a real hassle.
-
HT: I suppose it comes from discussions I've had with various people on the subject of malware names. Not that I mind a generic useless name for a worm, but I'd rather they simply called it just that, instead of doing what they currently do, which is at first call it by it's generic name, then specify it and have it be totally different than what other vendors call it. i'd love to see all of the vendors use either the generic name, or the same specific name. Just a gripe of mine I suppose.... Who cares what extension it has..whether it's spybot.abc or gaobot.baj etc...classify it is spybot and leave it as such. Heck..call it all polybot because that's all it really is anyways...
Anywho...if anyone is interested I can take virus submittals and do some quick analysis for you in a pinch...just let me know..and no I don't take hours like the vendors do.
