Yahoo Messenger worm?; exploited.lsass.cc bot traffic
A user reported
"I've been receiving messages from people I haven't talked to in years via Yahoo Messenger tonight. The message is simply a URL. The URL is
http://yahoo-secretDOTtripodDOTcom"
If your seeing traffic to exploited.lsass.cc you should examine your hosts for a new bot
A few of the handlers are examining a new bot binary.
A bot controller was discovered during this malware analysis.
The bots connect to "exploited.lsass.cc" on port 19899 (TCP).
which currently resolves to:
Name: exploited.lsass.cc
Address: 158.195.101.192
Name: exploited.lsass.cc
Address: 140.123.105.125
DNS resolution is provided by dnsmadeeasy.com
The binary appears to be a version of rbot/sdbot.
AntiVir 6.30.0.7 03.18.2005 no virus found
AVG 718 03.18.2005 no virus found
BitDefender 7.0 03.20.2005 Backdoor.RBot.B43AC4F1
ClamAV devel-20050307 03.19.2005 no virus found
DrWeb 4.32b 03.19.2005 no virus found
eTrust-Iris 7.1.194.0 03.19.2005 no virus found
eTrust-Vet 11.7.0.0 03.18.2005 no virus found
Fortinet 2.51 03.20.2005 no virus found
F-Prot 3.16a 03.19.2005 no virus found
Ikarus 2.32 03.18.2005 Backdoor.Win32.Wootbot.AM
Kaspersky 4.0.2.24 03.20.2005 Backdoor.Win32.SdBot.gen
McAfee 4450 03.18.2005 no virus found
NOD32v2 1.1030 03.19.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 03.17.2005 W32/MEWpacked.gen
Panda 8.02.00 03.19.2005 W32/Sdbot.CJM.worm
Sybari 7.5.1314 03.20.2005 Backdoor.Win32.Rbot.gen
Symantec 8.0 03.19.2005 W32.Spybot.Worm
Keywords:
0 comment(s)
×
Diary Archives
Comments