A user reported
"I've been receiving messages from people I haven't talked to in years via Yahoo Messenger tonight. The message is simply a URL. The URL is
If your seeing traffic to exploited.lsass.cc you should examine your hosts for a new bot
A few of the handlers are examining a new bot binary.
A bot controller was discovered during this malware analysis.
The bots connect to "exploited.lsass.cc" on port 19899 (TCP).
which currently resolves to:
DNS resolution is provided by dnsmadeeasy.com
The binary appears to be a version of rbot/sdbot.
AntiVir 220.127.116.11 03.18.2005 no virus found
AVG 718 03.18.2005 no virus found
BitDefender 7.0 03.20.2005 Backdoor.RBot.B43AC4F1
ClamAV devel-20050307 03.19.2005 no virus found
DrWeb 4.32b 03.19.2005 no virus found
eTrust-Iris 18.104.22.168 03.19.2005 no virus found
eTrust-Vet 22.214.171.124 03.18.2005 no virus found
Fortinet 2.51 03.20.2005 no virus found
F-Prot 3.16a 03.19.2005 no virus found
Ikarus 2.32 03.18.2005 Backdoor.Win32.Wootbot.AM
Kaspersky 126.96.36.199 03.20.2005 Backdoor.Win32.SdBot.gen
McAfee 4450 03.18.2005 no virus found
NOD32v2 1.1030 03.19.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 03.17.2005 W32/MEWpacked.gen
Panda 8.02.00 03.19.2005 W32/Sdbot.CJM.worm
Sybari 7.5.1314 03.20.2005 Backdoor.Win32.Rbot.gen
Symantec 8.0 03.19.2005 W32.Spybot.Worm