lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Heads up: Possible lsass worm in the wild

dropped file: %SYSTEM%/msiwin84.exe
remote process established to: lsass.exe
remote ip:4.x.x.x

note: file msiwin84.was not running


this appears to be a "blaster" type of worm working on the first and / or
second subset of the infected host to begin scanning for more hosts.
I have not completly unpacked the binary but here is some strings.

------------------ snip --------------
DnsFlushResolve
{ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home  cCmd.Net, +MODEW ]m715
522947
6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS enc<5n  clos
*+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s)  tal!x f@..._  IP addrvs3

------------------ snip ---------------

based on the above, the worm / viri tries to connect to a IRC server.

anyone else experiencing this?


morning_wood
http://exploitlabs.com









Powered by blists - more mailing lists