| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <hjto9i.1nvx1d@d101.x-mailer.de> From: a.gietl at e-admin.de (Andreas Gietl) Subject: [UPDATE] ping floods "Jerry Heidtke" <jheidtke@...h.edu> wrote: anybody catched a copy of this new worm? > > It may be a new worm/virus. See the symptoms below. > > Jerry > > http://vil.nai.com/vil/content/v_100559.htm > > Virus Characteristics: > > This detection is for another virus that exploits the the MS03-026 > vulnerability. > > It is not related to the W32/Lovsan.worm.d variant described here. > > The virus is detected by the current Daily DATs as Exploit-DcomRpc virus > (with scanning of compressed files enabled). > > Preliminary Analysis > > Initial analysis shows the virus to install within a WINS directory > which is created in the Windows System directory: > C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes) > > Strings within the virus suggest it copies the TCP/IP trivial file > transfer daemon (TFTPD.EXE) binary from the dllcache on the victim > machine to this directory also, renaming it: > C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE > > The following services are installed: > RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE) > > Display name: "WINS Client" > RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE) > > Display name: Network Connections Sharing > > Analysis is currently ongoing - description will be updated once > complete. > Top of Page > > Symptoms > large volumes of ICMP traffic in network > existence of the files and Windows services detailed above > > Jerry > > -----Original Message----- > From: Abraham, Antony (Cognizant) [mailto:Antony@....cognizant.com] > Sent: Monday, August 18, 2003 9:18 AM > To: B3r3n@...osnet.com; full-disclosure@...ts.netsys.com > Cc: Frank.Ederveen@...on-europe.com > Subject: RE: [Full-Disclosure] [UPDATE] ping floods > > > Hi, > > We do have the same problem. Incidents.org has recorded the same > (http://isc.incidents.org/) but not much detail available. > > Thanks, > > Antony Abraham > > -----Original Message----- > From: B3r3n@...osnet.com [mailto:B3r3n@...osnet.com] > Sent: Monday, August 18, 2003 6:59 PM > To: full-disclosure@...ts.netsys.com > Cc: Frank.Ederveen@...on-europe.com > Subject: [Full-Disclosure] [UPDATE] ping floods > > Frank, > > Yes, exactly, our ICMP requests are also detected as Cyber kit 2.2 > > Seems we share the same problem. > > Some others too? > > Brgrds > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > Confidentiality Notice: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply e-mail and destroy all > copies of the original message. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists