lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: falcon at geekery.net (Chris G. Turner)
Subject: [UPDATE] ping floods


attached.

Andreas Gietl wrote:

> "Jerry Heidtke" <jheidtke@...h.edu> wrote:
> 
> anybody catched a copy of this new worm?
> 
> 
>>It may be a new worm/virus. See the symptoms below.
>>
>>Jerry
>>
>>http://vil.nai.com/vil/content/v_100559.htm
>>
>>Virus Characteristics: 
>>
>>This detection is for another virus that exploits the the MS03-026
>>vulnerability.
>>
>>It is not related to the W32/Lovsan.worm.d variant described here.
>>
>>The virus is detected by the current Daily DATs as Exploit-DcomRpc virus
>>(with scanning of compressed files enabled).
>>
>>Preliminary Analysis
>>
>>Initial analysis shows the virus to install within a WINS directory
>>which is created in the Windows System directory:
>>C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes) 
>>
>>Strings within the virus suggest it copies the TCP/IP trivial file
>>transfer daemon (TFTPD.EXE) binary from the dllcache on the victim
>>machine to this directory also, renaming it:
>>C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE 
>>
>>The following services are installed: 
>>RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE) 
>>
>>Display name: "WINS Client"
>>RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE) 
>>
>>Display name: Network Connections Sharing
>>
>>Analysis is currently ongoing - description will be updated once
>>complete.
>>Top of Page 
>>
>>Symptoms 
>>large volumes of ICMP traffic in network 
>>existence of the files and Windows services detailed above 
>>
>>Jerry
>>
>>-----Original Message-----
>>From: Abraham, Antony (Cognizant) [mailto:Antony@....cognizant.com] 
>>Sent: Monday, August 18, 2003 9:18 AM
>>To: B3r3n@...osnet.com; full-disclosure@...ts.netsys.com
>>Cc: Frank.Ederveen@...on-europe.com
>>Subject: RE: [Full-Disclosure] [UPDATE] ping floods
>>
>>
>>Hi,
>>
>>We do have the same problem. Incidents.org has recorded the same
>>(http://isc.incidents.org/) but not much detail available.
>>
>>Thanks,
>>
>>Antony Abraham 
>>
>>-----Original Message-----
>>From: B3r3n@...osnet.com [mailto:B3r3n@...osnet.com] 
>>Sent: Monday, August 18, 2003 6:59 PM
>>To: full-disclosure@...ts.netsys.com
>>Cc: Frank.Ederveen@...on-europe.com
>>Subject: [Full-Disclosure] [UPDATE] ping floods
>>
>>Frank,
>>
>>Yes, exactly, our ICMP requests are also detected as Cyber kit 2.2
>>
>>Seems we share the same problem.
>>
>>Some others too?
>>
>>Brgrds
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>Confidentiality Notice: This e-mail message, including any attachments,
>>is for the sole use of the intended recipient(s) and may contain
>>confidential and privileged information.  Any unauthorized review, use,
>>disclosure or distribution is prohibited.  If you are not the intended
>>recipient, please contact the sender by reply e-mail and destroy all
>>copies of the original message.
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
> 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Nachi.zip
Type: application/x-zip-compressed
Size: 19180 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030818/6e295730/Nachi.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4674 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030818/6e295730/smime.bin

Powered by blists - more mailing lists