Re: new IIS worm? (rcp lsass.exe)

[Mike Lewinski <mike () rockynet com>]

<pj () esec dk> wrote:

> NOTICE %s :KILL                          = Kills the client

This command appears to be unimplemented, or requires some odd
argument/environmental condition I wasn't able to reproduce.

FYI, the IRC server mapped to lar.ath.cx was shut down around 12:50pm MDT
yesterday, likely in response to a flood of incidents@ users joining the
channel....

Later, the A record for the server was changed:

;; ANSWER SECTION:
lar.ath.cx.             86400   IN      A       10.0.1.128

My test machine just grinds away trying to connect to the single hostname.
It will resolve hostname and then send a SYN on 6667 about once per
second.  No other unusual network activity has been observed from it.

Mike


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com