lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.58.0508301235020.11191@well.com>
Date: Tue Aug 30 21:13:42 2005
From: vvandal at well.com (Vic Vandal)
Subject: No one else seeing the new MS05-039 worm yet?

>care to share?

Dude I'll e-mail you a very temporary link to the executable,
off the list.  Just share it further using your own bandwidth
instead of mine please.  I've done likewise with a few other
people who requested a sample, but don't have time to respond
to each request individually.

If you want to post it on your own box and share it with the
full "full disclosure" list, that's up to you.

I see Symantec came up with an advisory 10-11 hours after they
got a sample, yet still got a couple things wrong.  My 411 wasn't
completely comprehensive either, but I'm not getting paid to
analyze malware for the masses and don't have a dedicated lab,
l33t expensive tools, and a paycheck dedicated to such things.

On all the infections I've seen (I work for a large international
organization, so malware presence is a given...due to technical
constraints I'll not delve into at the moment) there were no
e-mail impacts.  Also I didn't see the Was*.tmp DLL they mention
on most boxes.  Also they don't mention that "multiple" reg keys
may be added to the Run folder.  Lastly they don't point out that
"worm" propagation based on the PnP vulnerability only occurs on
the Win2K boxes.  Win2K3 and WinXP require some user/machine action
to exploit the vulnerability, and the malware can't infect those
boxes independently.  I don't think I mentioned that either, but
figure most on this list know such things.  AV vendors shouldn't
make such assumptions though.

The behavior varied from workstation to server.  On one server
the malware was constantly creating 1.7GB executable files and
eating up 100% of the CPU.  That box was a very unique animal
though and I doubt most would see that on your average server.

Peace,
Vic

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ