Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: New IRC bot

  1. September 16th, 2004, 05:29 AM #11
    HTRegz
    HTRegz is offline
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey:

    hogfly: How is spybot any different than mydoom or sasser or anything else? It's the virus name. The worm portion as the classification.

    TH13: I've been looking at this at work and we'd concluded that it was Spybot and SDBot... It may be old, but it's definately holding true to the writeups on it... Our Admins first thought that it was sasser, but when the sasser removal tools proved useless, we spent ours analyzing logs and sifting through files...

    I ended up creating a half-assed workaround/fix... which I've posted @ http://www.antionline.com/showthread...hreadid=262057

    It removes the questionable files and their registry entries...

    I've got a few IRC Servers that they've been trying to connect to... If I get a chance tomorrow I'll dump up the information from the captures for you to glance over if you are interested.

    The common link in the files we're dealing with is that they're always in system32.... they're always flooding out the lsass exploit.. but we are also seeing the rpc exploit at times.. and the names closely mimic real or seemingly-real files... The registry entry is also always a key value that seems like it's something you shouldn't touch (DirectX, Windows Update).

    You can check out the batch file for more details on the specific files I've dealt with.

    Peace,
    HT


    PS.. It's good to be posting again... Those 18-20 hours days were a real hassle.
    Reply With Quote Reply With Quote
  2. September 16th, 2004, 06:02 AM #12
    hogfly
    hogfly is offline
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    HT: I suppose it comes from discussions I've had with various people on the subject of malware names. Not that I mind a generic useless name for a worm, but I'd rather they simply called it just that, instead of doing what they currently do, which is at first call it by it's generic name, then specify it and have it be totally different than what other vendors call it. i'd love to see all of the vendors use either the generic name, or the same specific name. Just a gripe of mine I suppose.... Who cares what extension it has..whether it's spybot.abc or gaobot.baj etc...classify it is spybot and leave it as such. Heck..call it all polybot because that's all it really is anyways...

    Anywho...if anyone is interested I can take virus submittals and do some quick analysis for you in a pinch...just let me know..and no I don't take hours like the vendors do.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules