[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40C0E1A9.5080705@ameritech.net>
From: insecure at ameritech.net (insecure)
Subject: another new worm submission
Perrymon, Josh L. wrote:
>http://www.detroit-x.com/analysis.htm
>
>This is something we found this morning. I have packet captures that I will
>post.
>I have attached the infected files found with FPORT and also registry
>entries.
>
>We found this rebooting machines with the LSASS.exe error similar to Sasser.
>As of 6/4/2004 we found no virus defs to pick it up.
>
>
>Joshua Perrymon
>Sr. Network Security Consultant
>
>
>
McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is
not a worm, it's a trojan. Your systems are being remotely compromised,
possibly with an auto-rooter targeting the lsass vulnerability, which
instructs the compromised system to download, install, and run this
trojan. This trojan includes a keystroke logger, and additional
components that you seem to have missed. Assume that system and any web
site passwords have been compromised. Warn the users of these systems
that unless they change any financial site passwords they are likely to
be victims of theft.
How are these system getting compromised? Why don't you have this patch
deployed yet? Why are these systems reachable from the Internet over
port 445?
You've got more problems than new worms.
Powered by blists - more mailing lists