[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F40FD5A.8070709@geekery.net>
From: falcon at geekery.net (Chris G. Turner)
Subject: [UPDATE] ping floods
attached.
Andreas Gietl wrote:
> "Jerry Heidtke" <jheidtke@...h.edu> wrote:
>
> anybody catched a copy of this new worm?
>
>
>>It may be a new worm/virus. See the symptoms below.
>>
>>Jerry
>>
>>http://vil.nai.com/vil/content/v_100559.htm
>>
>>Virus Characteristics:
>>
>>This detection is for another virus that exploits the the MS03-026
>>vulnerability.
>>
>>It is not related to the W32/Lovsan.worm.d variant described here.
>>
>>The virus is detected by the current Daily DATs as Exploit-DcomRpc virus
>>(with scanning of compressed files enabled).
>>
>>Preliminary Analysis
>>
>>Initial analysis shows the virus to install within a WINS directory
>>which is created in the Windows System directory:
>>C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes)
>>
>>Strings within the virus suggest it copies the TCP/IP trivial file
>>transfer daemon (TFTPD.EXE) binary from the dllcache on the victim
>>machine to this directory also, renaming it:
>>C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE
>>
>>The following services are installed:
>>RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE)
>>
>>Display name: "WINS Client"
>>RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE)
>>
>>Display name: Network Connections Sharing
>>
>>Analysis is currently ongoing - description will be updated once
>>complete.
>>Top of Page
>>
>>Symptoms
>>large volumes of ICMP traffic in network
>>existence of the files and Windows services detailed above
>>
>>Jerry
>>
>>-----Original Message-----
>>From: Abraham, Antony (Cognizant) [mailto:Antony@....cognizant.com]
>>Sent: Monday, August 18, 2003 9:18 AM
>>To: B3r3n@...osnet.com; full-disclosure@...ts.netsys.com
>>Cc: Frank.Ederveen@...on-europe.com
>>Subject: RE: [Full-Disclosure] [UPDATE] ping floods
>>
>>
>>Hi,
>>
>>We do have the same problem. Incidents.org has recorded the same
>>(http://isc.incidents.org/) but not much detail available.
>>
>>Thanks,
>>
>>Antony Abraham
>>
>>-----Original Message-----
>>From: B3r3n@...osnet.com [mailto:B3r3n@...osnet.com]
>>Sent: Monday, August 18, 2003 6:59 PM
>>To: full-disclosure@...ts.netsys.com
>>Cc: Frank.Ederveen@...on-europe.com
>>Subject: [Full-Disclosure] [UPDATE] ping floods
>>
>>Frank,
>>
>>Yes, exactly, our ICMP requests are also detected as Cyber kit 2.2
>>
>>Seems we share the same problem.
>>
>>Some others too?
>>
>>Brgrds
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>Confidentiality Notice: This e-mail message, including any attachments,
>>is for the sole use of the intended recipient(s) and may contain
>>confidential and privileged information. Any unauthorized review, use,
>>disclosure or distribution is prohibited. If you are not the intended
>>recipient, please contact the sender by reply e-mail and destroy all
>>copies of the original message.
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Nachi.zip
Type: application/x-zip-compressed
Size: 19180 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030818/6e295730/Nachi.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4674 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030818/6e295730/smime.bin
Powered by blists - more mailing lists