Full Disclosure mailing list archives
Re: another new worm submission
From: insecure <insecure () ameritech net>
Date: Fri, 04 Jun 2004 15:55:05 -0500
Perrymon, Josh L. wrote:
McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is not a worm, it's a trojan. Your systems are being remotely compromised, possibly with an auto-rooter targeting the lsass vulnerability, which instructs the compromised system to download, install, and run this trojan. This trojan includes a keystroke logger, and additional components that you seem to have missed. Assume that system and any web site passwords have been compromised. Warn the users of these systems that unless they change any financial site passwords they are likely to be victims of theft.http://www.detroit-x.com/analysis.htm This is something we found this morning. I have packet captures that I will post. I have attached the infected files found with FPORT and also registry entries. We found this rebooting machines with the LSASS.exe error similar to Sasser. As of 6/4/2004 we found no virus defs to pick it up. Joshua Perrymon Sr. Network Security Consultant
How are these system getting compromised? Why don't you have this patch deployed yet? Why are these systems reachable from the Internet over port 445?
You've got more problems than new worms. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- another new worm submission Perrymon, Josh L. (Jun 04)
- Re: another new worm submission Axel Pettinger (Jun 04)
- Re: another new worm submission insecure (Jun 04)
- Re: another new worm submission Paul Schmehl (Jun 04)
- Re: another new worm submission Jerry Heidtke (Jun 04)
- Re: another new worm submission Ron DuFresne (Jun 05)
- Re: another new worm submission Paul Schmehl (Jun 04)
- Re: another new worm submission Christoph Gruber (Jun 07)
- Re: another new worm submission Christoph Gruber (Jun 08)
- Re: another new worm submission Christoph Gruber (Jun 08)
- Re: another new worm submission Christoph Gruber (Jun 08)
- <Possible follow-ups>
- RE: another new worm submission Perrymon, Josh L. (Jun 06)
- RE: another new worm submission Schmehl, Paul L (Jun 07)