Full Disclosure mailing list archives
Re: Heads up: Possible lsass worm in the wild
From: Paul Tinsley <jackhammer () gmail com>
Date: Thu, 29 Apr 2004 15:54:15 -0500
I have seen this one active and in use, it is connecting to 216-110-80-17.gen.twtelecom.net on port 6667. I connected to the server and found several interestingly named channels with interestingly named clients in them: Channel names: #!tenzkor #[psy]- prefix to each client #!!s32 #[eduz]- prefix to each client #!rifkraca #exc prefix to each client On Thu, 29 Apr 2004 12:22:27 -0700, morning_wood <se_cur_ity () hotmail com> wrote:
i think the importaint thing here is that this was dropped via an lsass exploit, not that it is a specific type of viral agent ( agobot ) included in the drop. for those interested in a sample, it may be obtained at http://exploit.nothackers.org/msiwin84-lsass.zip morning_wood http://exploitlabs.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Heads up: Possible lsass worm in the wild morning_wood (Apr 29)
- Re: Heads up: Possible lsass worm in the wild insecure (Apr 29)
- Re: Heads up: Possible lsass worm in the wild morning_wood (Apr 29)
- Re: Heads up: Possible lsass worm in the wild Paul Tinsley (Apr 29)
- Re: Heads up: Possible lsass worm in the wild morning_wood (Apr 29)
- Re: [0day] Heads up: Possible lsass worm in the wild Darren Bounds (Apr 29)
- <Possible follow-ups>
- RE: Heads up: Possible lsass worm in the wild Randal, Phil (Apr 29)
- Heads up: Possible lsass worm in the wild Feher Tamas (Apr 29)
- Heads up: Possible lsass worm in the wild Feher Tamas (Apr 30)
- Heads up: Possible lsass worm in the wild Feher Tamas (Apr 30)
- Re: Heads up: Possible lsass worm in the wild insecure (Apr 29)