RE: Backdoor.sdbot trojan

"DeGennaro, Gregory" <Gregory_DeGennaro@csaa.com> wrote:

[restructured to repair top-posting suckiness]

> > I have had repeated attempt at my NetBios today; at least 200 today alone.

It is not Bugbear.

Bugbear uses WNetEnumerateResources and thus only "sees" the network resources that would be listed in the Network Neighbourhood. Thus, if SMB traffic from "unusual" places is showing up at your border it is not Bugbear traffic as Bugbear will only come from the places you usually get SMB traffic from.

On the other hand, Opaserv aggressively scans IP addresses for SMB networks and tries to "exploit" null passworded shares and Win9x/ME shares on machines not patched with MS00-072. Opaserv was released around the same time as Bugbear and many variants have been released since with a new one being released just this last weekend. As it seems far too many sites are far too cluelessly administered with deleting the Opaserv excecutables after machines are found infected counting as "adequate repair", many, many, many, many, many Opaserv.A victims became Opaserv.B victims became Opaserv.C victims became Opaserv.D victims became Opaserv.E victims became Opaserv.F victims became Opaserv.G victims and are now or will soon be Opaserv.H victims (or are we up to Opaserv.I???).

Of course, some of them simply become repeat victims of the same variant (and some of these become repeat victims of the same multiple variants) as they do not even bother getting AV or (personal) firewall "protection", apply MS00-072, unshare the root of the system drive or unbind F&PS from their Internet interfaces...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854