Full Disclosure mailing list archives
Re: [UPDATE] ping floods
From: "Chris G. Turner" <falcon () geekery net>
Date: Mon, 18 Aug 2003 12:22:50 -0400
attached. Andreas Gietl wrote:
"Jerry Heidtke" <jheidtke () fmlh edu> wrote: anybody catched a copy of this new worm?It may be a new worm/virus. See the symptoms below. Jerry http://vil.nai.com/vil/content/v_100559.htmVirus Characteristics:This detection is for another virus that exploits the the MS03-026 vulnerability. It is not related to the W32/Lovsan.worm.d variant described here. The virus is detected by the current Daily DATs as Exploit-DcomRpc virus (with scanning of compressed files enabled). Preliminary Analysis Initial analysis shows the virus to install within a WINS directory which is created in the Windows System directory:C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes)Strings within the virus suggest it copies the TCP/IP trivial file transfer daemon (TFTPD.EXE) binary from the dllcache on the victim machine to this directory also, renaming it:C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE The following services are installed: RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE)Display name: "WINS Client"RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE)Display name: Network Connections Sharing Analysis is currently ongoing - description will be updated once complete.Top of Page Symptoms large volumes of ICMP traffic in network existence of the files and Windows services detailed aboveJerry -----Original Message-----From: Abraham, Antony (Cognizant) [mailto:Antony () blr cognizant com] Sent: Monday, August 18, 2003 9:18 AMTo: B3r3n () argosnet com; full-disclosure () lists netsys com Cc: Frank.Ederveen () canon-europe com Subject: RE: [Full-disclosure] [UPDATE] ping floods Hi, We do have the same problem. Incidents.org has recorded the same (http://isc.incidents.org/) but not much detail available. Thanks,Antony Abraham-----Original Message-----From: B3r3n () argosnet com [mailto:B3r3n () argosnet com] Sent: Monday, August 18, 2003 6:59 PMTo: full-disclosure () lists netsys com Cc: Frank.Ederveen () canon-europe com Subject: [Full-disclosure] [UPDATE] ping floods Frank, Yes, exactly, our ICMP requests are also detected as Cyber kit 2.2 Seems we share the same problem. Some others too? Brgrds _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Attachment:
Nachi.zip
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- [UPDATE] ping floods B3r3n (Aug 18)
- <Possible follow-ups>
- [UPDATE] ping floods B3r3n (Aug 18)
- RE: [UPDATE] ping floods Abraham, Antony (Cognizant) (Aug 18)
- RE: [UPDATE] ping floods Stahlkrantz, Mats (Mats) (Aug 18)
- RE: [UPDATE] ping floods Jerry Heidtke (Aug 18)
- Re: [UPDATE] ping floods Andreas Gietl (Aug 18)
- Re: [UPDATE] ping floods Chris G. Turner (Aug 18)
- Re: [UPDATE] ping floods Andreas Gietl (Aug 18)
- RE: [UPDATE] ping floods Dolinar, Jon (Aug 18)
- RE: [UPDATE] ping floods Abraham, Antony (Cognizant) (Aug 18)
- RE: [UPDATE] ping floods Sam Pointer (Aug 18)
- Re: [UPDATE] ping floods benjurry (Aug 18)
- RE: [UPDATE] ping floods Drew Copley (Aug 18)
- RE: [UPDATE] ping floods B3r3n (Aug 18)
- Why Fixer Worms Are A Bad Idea RE: [UPDATE] ping floods Drew Copley (Aug 18)
- Re: [UPDATE] ping floods benjurry (Aug 18)
- Re: [UPDATE] ping floods B3r3n (Aug 18)
- RE: [UPDATE] ping floods r1an (Aug 18)
- re: [UPDATE] ping floods loper (Aug 18)
(Thread continues...)