lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: jheidtke at fmlh.edu (Jerry Heidtke)
Subject: [UPDATE] ping floods

It may be a new worm/virus. See the symptoms below.

Jerry

http://vil.nai.com/vil/content/v_100559.htm

Virus Characteristics: 

This detection is for another virus that exploits the the MS03-026
vulnerability.

It is not related to the W32/Lovsan.worm.d variant described here.

The virus is detected by the current Daily DATs as Exploit-DcomRpc virus
(with scanning of compressed files enabled).

Preliminary Analysis

Initial analysis shows the virus to install within a WINS directory
which is created in the Windows System directory:
C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes) 

Strings within the virus suggest it copies the TCP/IP trivial file
transfer daemon (TFTPD.EXE) binary from the dllcache on the victim
machine to this directory also, renaming it:
C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE 

The following services are installed: 
RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE) 

Display name: "WINS Client"
RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE) 

Display name: Network Connections Sharing

Analysis is currently ongoing - description will be updated once
complete.
Top of Page 

Symptoms 
large volumes of ICMP traffic in network 
existence of the files and Windows services detailed above 

Jerry

-----Original Message-----
From: Abraham, Antony (Cognizant) [mailto:Antony@....cognizant.com] 
Sent: Monday, August 18, 2003 9:18 AM
To: B3r3n@...osnet.com; full-disclosure@...ts.netsys.com
Cc: Frank.Ederveen@...on-europe.com
Subject: RE: [Full-Disclosure] [UPDATE] ping floods


Hi,

We do have the same problem. Incidents.org has recorded the same
(http://isc.incidents.org/) but not much detail available.

Thanks,

Antony Abraham 

-----Original Message-----
From: B3r3n@...osnet.com [mailto:B3r3n@...osnet.com] 
Sent: Monday, August 18, 2003 6:59 PM
To: full-disclosure@...ts.netsys.com
Cc: Frank.Ederveen@...on-europe.com
Subject: [Full-Disclosure] [UPDATE] ping floods

Frank,

Yes, exactly, our ICMP requests are also detected as Cyber kit 2.2

Seems we share the same problem.

Some others too?

Brgrds

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ