| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: insecure at ameritech.net (insecure) Subject: another new worm submission Perrymon, Josh L. wrote: >http://www.detroit-x.com/analysis.htm > >This is something we found this morning. I have packet captures that I will >post. >I have attached the infected files found with FPORT and also registry >entries. > >We found this rebooting machines with the LSASS.exe error similar to Sasser. >As of 6/4/2004 we found no virus defs to pick it up. > > >Joshua Perrymon >Sr. Network Security Consultant > > > McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is not a worm, it's a trojan. Your systems are being remotely compromised, possibly with an auto-rooter targeting the lsass vulnerability, which instructs the compromised system to download, install, and run this trojan. This trojan includes a keystroke logger, and additional components that you seem to have missed. Assume that system and any web site passwords have been compromised. Warn the users of these systems that unless they change any financial site passwords they are likely to be victims of theft. How are these system getting compromised? Why don't you have this patch deployed yet? Why are these systems reachable from the Internet over port 445? You've got more problems than new worms.
Powered by blists - more mailing lists