Full Disclosure mailing list archives
Re: [0day] Heads up: Possible lsass worm in the wild
From: Darren Bounds <dbounds () intrusense com>
Date: Thu, 29 Apr 2004 09:37:23 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1I believe that's actually a new AGOBOT variant. As far as I know it actually exploits the MS PCT vulnerability. It also modifies the HOSTS file to redirect AV vendor addresses to localhost.
Thanks, Darren Bounds, CISSP 443D 628D 0AC7 CACF 6085 C0E0 B2FC 534B 3D9E 69AF - -- Intrusense - Securing Business As Usual On Apr 29, 2004, at 8:31 AM, morning_wood wrote:
-= 0day - Freedom of Voice - Freedom of Choice =- dropped file: %SYSTEM%/msiwin84.exe remote process established to: lsass.exe remote ip:4.x.x.x note: file msiwin84.was not runningthis appears to be a "blaster" type of worm working on the first and / orsecond subset of the infected host to begin scanning for more hosts. I have not completly unpacked the binary but here is some strings. ------------------ snip -------------- DnsFlushResolve{ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home cCmd.Net, +MODEW ]m7155229476660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS enc<5n clos*+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s) tal!x f@m'Q_ IP addrvs3 ------------------ snip --------------- based on the above, the worm / viri tries to connect to a IRC server. anyone else experiencing this? morning_wood http://exploitlabs.com _______________________________________________ 0day mailing list 0day () nothackers org http://nothackers.org/mailman/listinfo/0day
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAkQUWsvxTSz2eaa8RAiM4AKC9WqFOz2fryj6x0rtr+xXfm1QSCwCfcN/R hyHgPFkDfqvUw/F8eNr3TC0= =5NIA -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Heads up: Possible lsass worm in the wild morning_wood (Apr 29)
- Re: Heads up: Possible lsass worm in the wild insecure (Apr 29)
- Re: Heads up: Possible lsass worm in the wild morning_wood (Apr 29)
- Re: Heads up: Possible lsass worm in the wild Paul Tinsley (Apr 29)
- Re: Heads up: Possible lsass worm in the wild morning_wood (Apr 29)
- Re: [0day] Heads up: Possible lsass worm in the wild Darren Bounds (Apr 29)
- <Possible follow-ups>
- RE: Heads up: Possible lsass worm in the wild Randal, Phil (Apr 29)
- Heads up: Possible lsass worm in the wild Feher Tamas (Apr 29)
- Heads up: Possible lsass worm in the wild Feher Tamas (Apr 30)
- Heads up: Possible lsass worm in the wild Feher Tamas (Apr 30)
- Re: Heads up: Possible lsass worm in the wild insecure (Apr 29)