[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Heads up: Possible lsass worm in the wild
- To: 0day <0day@xxxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxx
- Subject: RE: [Full-Disclosure] Heads up: Possible lsass worm in the wild
- From: "Randal, Phil" <prandal@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Apr 2004 14:53:21 +0100
http://vil.nai.com/vil/content/v_125006.htm
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: full-disclosure-admin@xxxxxxxxxxxxxxxx
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of
> morning_wood
> Sent: 29 April 2004 13:31
> To: 0day; full-disclosure@xxxxxxxxxxxxxxxx
> Subject: [Full-Disclosure] Heads up: Possible lsass worm in the wild
>
> dropped file: %SYSTEM%/msiwin84.exe
> remote process established to: lsass.exe remote ip:4.x.x.x
>
> note: file msiwin84.was not running
>
>
> this appears to be a "blaster" type of worm working on the
> first and / or second subset of the infected host to begin
> scanning for more hosts.
> I have not completly unpacked the binary but here is some strings.
>
> ------------------ snip --------------
> DnsFlushResolve
> {ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home
> cCmd.Net, +MODEW ]m715
> 522947
> 6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error:
> fix>ipS enc<5n clos *+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s)
> tal!x f@m'Q_ IP addrvs3
>
> ------------------ snip ---------------
>
> based on the above, the worm / viri tries to connect to a IRC server.
>
> anyone else experiencing this?
>
>
> morning_wood
> http://exploitlabs.com
>
>
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html