lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <39550.208.45.168.113.1081455886.squirrel@www.dslextreme.com>
Date: Thu, 8 Apr 2004 13:24:46 -0700 (PDT)
From: securityguy@...extreme.com
To: bugtraq@...urityfocus.com
Cc: Justin.Polazzo@...ilities.gatech.edu
Subject: RE: New Worm/Virus April 8th


What's the propagation method?  Is it through email?

- SG

-----Original Message-----
From: Polazzo Justin [mailto:Justin.Polazzo@...ilities.gatech.edu]
Sent: Thursday, April 08, 2004 6:53 AM
To: appsec-research@...uxbox.org
Cc: bugtraq@...urityfocus.com
Subject: New Worm/Virus April 8th

Concerning the new worm type infection spreading around today (6:15am EST)

the file is called ndemon.exe (.99k) and it puts itself into c:\winnt and
c:winnt\system32. Registry entries
HKLM\Software|Microsoft|CurrentVersion\Run and
HKLM\Software|Microsoft|CurrentVersion\RunServices (Think it creates that
one).

At first look:
it then tries to propagate itself via MS ports 135, and 139 VIA known
flaws and password guessing. It also listens for other infected machines
on port 1025 and scans for MS IIS boxes on port 80 (to try known exploits
as well)

The infected machines were win2k SP4 (fully Patched) Running Symantec AV v8.6

Just a heads up

jp

Justin Polazzo
CSS II, Facilities IT
Georgia Institute of Technology
915 Atlantic Drive
Atlanta, GA  30332-0350

404-894-6804 Voice
404-894-8088 Facsimile

justin.polazzo@...ilities.gatech.edu

Request assistance at < http://it.facilities.gatech.edu/it-helpdesk.php>

Submit a question or comment at <
http://it.facilities.gatech.edu/comments.php>

http://www.cauce.org   A site to help fight Spam

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.

If you received this in error, please contact the sender and delete the
material from any computer.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ