Full Disclosure mailing list archives
Re: Heads up: Possible lsass worm in the wild
From: insecure <insecure () ameritech net>
Date: Thu, 29 Apr 2004 09:30:38 -0500
morning_wood wrote:
According to McAfee, this is W32/Gaobot.worm.ali. It is not a "blaster" type worm, as it does not spread completely autonomously. It infects a system, contacts an IRC server, and waits for instructions, one of which can be to search for and infect other vulnerable systems. The IRC server is offline at the moment.dropped file: %SYSTEM%/msiwin84.exe remote process established to: lsass.exe remote ip:4.x.x.x note: file msiwin84.was not running this appears to be a "blaster" type of worm working on the first and / or second subset of the infected host to begin scanning for more hosts. I have not completly unpacked the binary but here is some strings. ------------------ snip -------------- DnsFlushResolve {ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home cCmd.Net, +MODEW ]m715 522947 6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS enc<5n clos *+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s) tal!x f@m'Q_ IP addrvs3 ------------------ snip --------------- based on the above, the worm / viri tries to connect to a IRC server. anyone else experiencing this? morning_wood http://exploitlabs.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
See http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Heads up: Possible lsass worm in the wild morning_wood (Apr 29)
- Re: Heads up: Possible lsass worm in the wild insecure (Apr 29)
- Re: Heads up: Possible lsass worm in the wild morning_wood (Apr 29)
- Re: Heads up: Possible lsass worm in the wild Paul Tinsley (Apr 29)
- Re: Heads up: Possible lsass worm in the wild morning_wood (Apr 29)
- Re: [0day] Heads up: Possible lsass worm in the wild Darren Bounds (Apr 29)
- <Possible follow-ups>
- RE: Heads up: Possible lsass worm in the wild Randal, Phil (Apr 29)
- Heads up: Possible lsass worm in the wild Feher Tamas (Apr 29)
- Heads up: Possible lsass worm in the wild Feher Tamas (Apr 30)
- Heads up: Possible lsass worm in the wild Feher Tamas (Apr 30)
- Re: Heads up: Possible lsass worm in the wild insecure (Apr 29)