Re: new IIS worm? (rcp lsass.exe)

[Mike Lewinski <mike () rockynet com>]

I played some more with the copy I got. It makes an IRC connection to
lar.ath.cx and then joins #lerler using the key 'essenscheisse'. There are
almost 2000 zombies in that room fwiw.

I see no indications that it is a worm however. After connecting on IRC,
it just sits there apparently waiting for someone to show up and give it
commands.

A registry entry is created to run itself at startup, but no other
modifications to my test system were readily apparent (not saying there
weren't any, but a casual check of filemon and regmon didn't reveal
anything obviously bad).

Mike



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com