Yahoo Messenger worm?; bot traffic

Published: 2005-03-20
Last Updated: 2005-03-21 00:37:42 UTC
by Chris Carboni (Version: 1)
0 comment(s)

A user reported

"I've been receiving messages from people I haven't talked to in years via Yahoo Messenger tonight. The message is simply a URL. The URL is

If your seeing traffic to you should examine your hosts for a new bot

A few of the handlers are examining a new bot binary.

A bot controller was discovered during this malware analysis.

The bots connect to "" on port 19899 (TCP).

which currently resolves to:




DNS resolution is provided by

The binary appears to be a version of rbot/sdbot.

AntiVir 03.18.2005 no virus found

AVG 718 03.18.2005 no virus found

BitDefender 7.0 03.20.2005 Backdoor.RBot.B43AC4F1

ClamAV devel-20050307 03.19.2005 no virus found

DrWeb 4.32b 03.19.2005 no virus found

eTrust-Iris 03.19.2005 no virus found

eTrust-Vet 03.18.2005 no virus found

Fortinet 2.51 03.20.2005 no virus found

F-Prot 3.16a 03.19.2005 no virus found

Ikarus 2.32 03.18.2005 Backdoor.Win32.Wootbot.AM

Kaspersky 03.20.2005 Backdoor.Win32.SdBot.gen

McAfee 4450 03.18.2005 no virus found

NOD32v2 1.1030 03.19.2005 probably unknown NewHeur_PE virus

Norman 5.70.10 03.17.2005 W32/MEWpacked.gen

Panda 8.02.00 03.19.2005 W32/Sdbot.CJM.worm

Sybari 7.5.1314 03.20.2005 Backdoor.Win32.Rbot.gen

Symantec 8.0 03.19.2005 W32.Spybot.Worm

0 comment(s)


Diary Archives