lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4091118E.7080505@ameritech.net>
From: insecure at ameritech.net (insecure)
Subject: Heads up: Possible lsass worm in the wild

morning_wood wrote:

>dropped file: %SYSTEM%/msiwin84.exe
>remote process established to: lsass.exe
>remote ip:4.x.x.x
>
>note: file msiwin84.was not running
>
>
>this appears to be a "blaster" type of worm working on the first and / or
>second subset of the infected host to begin scanning for more hosts.
>I have not completly unpacked the binary but here is some strings.
>
>------------------ snip --------------
>DnsFlushResolve
>{ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home  cCmd.Net, +MODEW ]m715
>522947
>6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS enc<5n  clos
>*+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s)  tal!x f@..._  IP addrvs3
>
>------------------ snip ---------------
>
>based on the above, the worm / viri tries to connect to a IRC server.
>
>anyone else experiencing this?
>
>
>morning_wood
>http://exploitlabs.com
>
>
>
>
>
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>  
>
According to McAfee, this is W32/Gaobot.worm.ali. It is not a "blaster" 
type worm, as it does not spread completely autonomously. It infects a 
system, contacts an IRC server, and waits for instructions, one of which 
can be to search for and infect other vulnerable systems. The IRC server 
is offline at the moment.

See http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ