Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: another new worm submission

From: insecure <insecure () ameritech net>
Date: Fri, 04 Jun 2004 15:55:05 -0500
Perrymon, Josh L. wrote:


http://www.detroit-x.com/analysis.htm

This is something we found this morning. I have packet captures that I will
post.
I have attached the infected files found with FPORT and also registry
entries.

We found this rebooting machines with the LSASS.exe error similar to Sasser.
As of 6/4/2004 we found no virus defs to pick it up.


Joshua Perrymon
Sr. Network Security Consultant
McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is not a worm, it's a trojan. Your systems are being remotely compromised, possibly with an auto-rooter targeting the lsass vulnerability, which instructs the compromised system to download, install, and run this trojan. This trojan includes a keystroke logger, and additional components that you seem to have missed. Assume that system and any web site passwords have been compromised. Warn the users of these systems that unless they change any financial site passwords they are likely to be victims of theft.
How are these system getting compromised? Why don't you have this patch deployed yet? Why are these systems reachable from the Internet over port 445? 

You've got more problems than new worms.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: