Security Incidents mailing list archives
Re: new IIS worm? (rcp lsass.exe)
From: Mike Lewinski <mike () rockynet com>
Date: Mon, 23 Sep 2002 00:31:01 -0600 (MDT)
I played some more with the copy I got. It makes an IRC connection to lar.ath.cx and then joins #lerler using the key 'essenscheisse'. There are almost 2000 zombies in that room fwiw. I see no indications that it is a worm however. After connecting on IRC, it just sits there apparently waiting for someone to show up and give it commands. A registry entry is created to run itself at startup, but no other modifications to my test system were readily apparent (not saying there weren't any, but a casual check of filemon and regmon didn't reveal anything obviously bad). Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new IIS worm? (rcp lsass.exe) Christian Mock (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Björn Wallentinus (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Lasse Sundström (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 23)
- <Possible follow-ups>
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
- Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Eloy A. Paris (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Mark Challender (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) James Williams (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Ben Timby (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) sunzi (Sep 25)
(Thread continues...)