[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] [UPDATE] ping floods
- To: "Jerry Heidtke" <jheidtke@fmlh.edu>, <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] [UPDATE] ping floods
- From: "Andreas Gietl" <a.gietl@e-admin.de>
- Date: Mon, 18 Aug 2003 17:56:06 +0200
"Jerry Heidtke" <jheidtke@fmlh.edu> wrote:
anybody catched a copy of this new worm?
>
> It may be a new worm/virus. See the symptoms below.
>
> Jerry
>
> http://vil.nai.com/vil/content/v_100559.htm
>
> Virus Characteristics:
>
> This detection is for another virus that exploits the the MS03-026
> vulnerability.
>
> It is not related to the W32/Lovsan.worm.d variant described here.
>
> The virus is detected by the current Daily DATs as Exploit-DcomRpc virus
> (with scanning of compressed files enabled).
>
> Preliminary Analysis
>
> Initial analysis shows the virus to install within a WINS directory
> which is created in the Windows System directory:
> C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes)
>
> Strings within the virus suggest it copies the TCP/IP trivial file
> transfer daemon (TFTPD.EXE) binary from the dllcache on the victim
> machine to this directory also, renaming it:
> C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE
>
> The following services are installed:
> RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE)
>
> Display name: "WINS Client"
> RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE)
>
> Display name: Network Connections Sharing
>
> Analysis is currently ongoing - description will be updated once
> complete.
> Top of Page
>
> Symptoms
> large volumes of ICMP traffic in network
> existence of the files and Windows services detailed above
>
> Jerry
>
> -----Original Message-----
> From: Abraham, Antony (Cognizant) [mailto:Antony@blr.cognizant.com]
> Sent: Monday, August 18, 2003 9:18 AM
> To: B3r3n@argosnet.com; full-disclosure@lists.netsys.com
> Cc: Frank.Ederveen@canon-europe.com
> Subject: RE: [Full-Disclosure] [UPDATE] ping floods
>
>
> Hi,
>
> We do have the same problem. Incidents.org has recorded the same
> (http://isc.incidents.org/) but not much detail available.
>
> Thanks,
>
> Antony Abraham
>
> -----Original Message-----
> From: B3r3n@argosnet.com [mailto:B3r3n@argosnet.com]
> Sent: Monday, August 18, 2003 6:59 PM
> To: full-disclosure@lists.netsys.com
> Cc: Frank.Ederveen@canon-europe.com
> Subject: [Full-Disclosure] [UPDATE] ping floods
>
> Frank,
>
> Yes, exactly, our ICMP requests are also detected as Cyber kit 2.2
>
> Seems we share the same problem.
>
> Some others too?
>
> Brgrds
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html