| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Aug 2006 10:08:43 -0400 From: "Geo." <geoincidents@....net> To: <full-disclosure@...ts.grok.org.uk> Subject: NT4 worm Has anyone seen a writeup on this new NT4 worm that's spreading via port 139 MS06-040 yet? I'm seeing customers getting hit by it but I haven't seen any real mention of it anywhere yet. It appears to run two CMD.EXE hidden windows and sucks up all the cpu in the infected systems trying to spread. I've also seen one customer who found csrsc.exe on the machine after the worm hit them. I did manage to find out once it exploits a machine it uses ftp.exe to connect back to the infecting host and transfer something but I've not had time to really dig into this thing. Hoping someone else has already. Looks like it's spreading pretty quick http://isc.incidents.org/port_details.php?port=139&repax=1&tarax=2&srcax=2&p ercent=N&days=40 Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists