Full Disclosure mailing list archives

Re: Sasser skips 10.x.x.x Why?

From: Rodrigo Barbosa <rodrigob () suespammers org>
Date: Mon, 3 May 2004 18:52:57 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have several cases of machines on 172.18.X.X networks infecting
each other.

On Mon, May 03, 2004 at 12:44:31PM -0700, Eric Chien wrote:

Actually, it is all variants (.A - .D).  And more
specifically, it iterates through all the host IP
addresses looking for an address that does not match:
127.0.0.1
10.
172.16 - 172.31 (inclusive)
192.168.
169.254

Then, using this address it creates a random address
(sometimes changing all octets, sometimes just the
last three, and sometimes just the last two).

...Eric

--- Shawn Cox <shawn.cox () pcca com> wrote:

It appears that only .D skips private ranges.  I
incorrectly assumed that
the original would do the same.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.D&VSect=T


--Shawn


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


- -- 
Rodrigo Barbosa <rodrigob () suespammers org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAlr84pdyWzQ5b5ckRArQnAKCF+8d9s9yRKige5HM4yHlzs+gFEACgjylU
yCiXhCxRPNpFFVkU2/QnCHI=
=e9Ce
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: New LSASS-based worm finally here (Sasser), (continued)
- Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 03)
  - Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
    - Re: Sasser skips 10.x.x.x Why? Thomas Springer (May 03)
    - Unpacking Sasser youssef ALAOUI (May 03)
    - RE: Sasser skips 10.x.x.x Why? Warnich Rust (May 03)
    - Re: Sasser skips 10.x.x.x Why? Matt Wagenknecht (May 03)
    - Re: Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
    - Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
    - Re: Sasser skips 10.x.x.x Why? Frank Knobbe (May 03)
    - Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
    - Re: Sasser skips 10.x.x.x Why? Rodrigo Barbosa (May 03)
    - Re: Sasser skips 10.x.x.x Why? Joe Stewart (May 03)
  - Re: Re: New LSASS-based worm finally here (Sasser) Jason (May 03)
    - Re: Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 04)
    - Re: Re: New LSASS-based worm finally here (Sasser) insecure (May 04)
- Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 03)
- Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 03)
- RE: New LSASS-based worm finally here (Sasser) Marc Maiffret (May 04)
  - Re: New LSASS-based worm finally here (Sasser) Gadi Evron (May 04)
  - Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 05)