Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Yahoo Messenger worm?; exploited.lsass.cc bot traffic - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yahoo Messenger worm?; exploited.lsass.cc bot traffic

A user reported

"I've been receiving messages from people I haven't talked to in years via Yahoo Messenger tonight. The message is simply a URL. The URL is
http://yahoo-secretDOTtripodDOTcom"


If your seeing traffic to exploited.lsass.cc you should examine your hosts for a new bot



A few of the handlers are examining a new bot binary.

A bot controller was discovered during this malware analysis.


The bots connect to "exploited.lsass.cc" on port 19899 (TCP).

which currently resolves to:

Name: exploited.lsass.cc

Address: 158.195.101.192

Name: exploited.lsass.cc

Address: 140.123.105.125
DNS resolution is provided by dnsmadeeasy.com

The binary appears to be a version of rbot/sdbot.



AntiVir 6.30.0.7 03.18.2005 no virus found

AVG 718 03.18.2005 no virus found

BitDefender 7.0 03.20.2005 Backdoor.RBot.B43AC4F1

ClamAV devel-20050307 03.19.2005 no virus found

DrWeb 4.32b 03.19.2005 no virus found

eTrust-Iris 7.1.194.0 03.19.2005 no virus found

eTrust-Vet 11.7.0.0 03.18.2005 no virus found

Fortinet 2.51 03.20.2005 no virus found

F-Prot 3.16a 03.19.2005 no virus found

Ikarus 2.32 03.18.2005 Backdoor.Win32.Wootbot.AM

Kaspersky 4.0.2.24 03.20.2005 Backdoor.Win32.SdBot.gen

McAfee 4450 03.18.2005 no virus found

NOD32v2 1.1030 03.19.2005 probably unknown NewHeur_PE virus

Norman 5.70.10 03.17.2005 W32/MEWpacked.gen

Panda 8.02.00 03.19.2005 W32/Sdbot.CJM.worm

Sybari 7.5.1314 03.20.2005 Backdoor.Win32.Rbot.gen

Symantec 8.0 03.19.2005 W32.Spybot.Worm

Chris

140 Posts

Sign Up for Free or Log In to start participating in the conversation!