lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: prandal at herefordshire.gov.uk (Randal, Phil) Subject: Heads up: Possible lsass worm in the wild http://vil.nai.com/vil/content/v_125006.htm ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of > morning_wood > Sent: 29 April 2004 13:31 > To: 0day; full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] Heads up: Possible lsass worm in the wild > > dropped file: %SYSTEM%/msiwin84.exe > remote process established to: lsass.exe remote ip:4.x.x.x > > note: file msiwin84.was not running > > > this appears to be a "blaster" type of worm working on the > first and / or second subset of the infected host to begin > scanning for more hosts. > I have not completly unpacked the binary but here is some strings. > > ------------------ snip -------------- > DnsFlushResolve > {ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home > cCmd.Net, +MODEW ]m715 > 522947 > 6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: > fix>ipS enc<5n clos *+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s) > tal!x f@..._ IP addrvs3 > > ------------------ snip --------------- > > based on the above, the worm / viri tries to connect to a IRC server. > > anyone else experiencing this? > > > morning_wood > http://exploitlabs.com > > > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists