lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: prandal at herefordshire.gov.uk (Randal, Phil)
Subject: Heads up: Possible lsass worm in the wild

http://vil.nai.com/vil/content/v_125006.htm

----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> morning_wood
> Sent: 29 April 2004 13:31
> To: 0day; full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Heads up: Possible lsass worm in the wild
> 
> dropped file: %SYSTEM%/msiwin84.exe
> remote process established to: lsass.exe remote ip:4.x.x.x
> 
> note: file msiwin84.was not running
> 
> 
> this appears to be a "blaster" type of worm working on the 
> first and / or second subset of the infected host to begin 
> scanning for more hosts.
> I have not completly unpacked the binary but here is some strings.
> 
> ------------------ snip --------------
> DnsFlushResolve
> {ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home  
> cCmd.Net, +MODEW ]m715
> 522947
> 6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: 
> fix>ipS enc<5n  clos *+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s)  
> tal!x f@..._  IP addrvs3
> 
> ------------------ snip ---------------
> 
> based on the above, the worm / viri tries to connect to a IRC server.
> 
> anyone else experiencing this?
> 
> 
> morning_wood
> http://exploitlabs.com
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists