Educause Security Discussion mailing list archives

info on the new worm ?

From: Jim Moore <jhmfa () CIS RIT EDU>
Date: Tue, 17 Dec 2002 10:27:39 -0500

I haven't seen much info on the new worm circulating except for this.

- - - - Begin Included message - - - -
All,

Over the weekend we detected and completed analysis of what appears to be a
new Internet worm which we're calling IraqiWorm.

This worm utilizes Windows Null Sessions against Windows 2000 and XP systems
to enumerate user account names and group memberships..then it launches a
simple brute force dictionary attack against all discovered user names.  We
suspect the number of infected hosts is already in the thousands, and expect
many more infections as there are many hosts poorly secured against this
type of mechanized attack.

Full details are here:
http://www.mynetwatchman.com/kb/security/articles/iraqiworm/index.htm


Regards,

Lawrence Baldwin
Chief Forensics Officer
myNetWatchman.com
Atlanta, GA
+1.678.624.0924

- - - End included message - - -
--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

Current thread:

info on the new worm ? Jim Moore (Dec 17)
- <Possible follow-ups>
- Re: info on the new worm ? Crawford, Charles D (Dec 17)
- Re: info on the new worm ? Gate (Dec 17)