Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: Strange network activity

  1. #11
    Junior Member
    Join Date
    Apr 2004

    Cool Well........

    Well........If by somone was trying to acess a Japan port 300 times from an internal machine. Do you mean that you detected some one in your office trying to acess it? Or is it from the outside?
    TRINITY IS COOL........
    (C++ Novice)

  2. #12
    Junior Member
    Join Date
    Jan 2004
    Hey everyone,

    Ok.. here is what happened:

    On different infected machines we found three different worms:

    - SDBot.ZA
    - IRCBOT.K
    - SDBot.LL

    These worms are NOT documented by Symantec (we submitted all the infected files to them and never got any reply). We got more info from our investigations and finally found some infromation from the trend micro website.

    Since we didn't found any removal tool for this worm we coded one that simply removes registry entries and various files that it writes on the disk. Now that we ran the fix on all the infected workstations the situation is back to normal.

    One last interesting thing... when doing a "strings" on one of the infected file we can clearly see that one of them is called "rBot"

    Thanks to you for submitting your ideas,


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts