Educause Security Discussion mailing list archives
early warning: Backdoor.Wasax
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Wed, 14 Apr 2004 16:06:52 -0500
Dear all, We've been asked to share information about a potentially serious backdoor exploit of Windows that attempts to crack passwords against ADS domain controllers. Disruptive levels of activity against domain controllers have been seen. The backdoor seems to have a number of functions in addition to password cracking. From the names of the commands it appears it can open a remote shell and capture keystrokes as well. Information on the exploit has not been publicly released yet. It is detected by Symantec Rapid Release Definitions 4/14/04 rev. 34, and is tentatively known as Backdoor.Wasax. The possible and unconfirmed attack vector is, MS03-043, but not necessarily. Security engineers at the reporting university are working with Microsoft to dissect the exploit. Evidence of the exploit includes: 1. %systemroot%\system32\rasaccs.dll 2. svchost listening on 1129/tcp 3. unusual levels of activity against ADS domain controllers Regards, Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net Watch Desk 24x7: +1(317)278-6630 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- early warning: Backdoor.Wasax Doug Pearson (Apr 14)
- <Possible follow-ups>
- Re: early warning: Backdoor.Wasax Rusma Mulyadi (Apr 15)