lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5490656.102201156950705906.JavaMail.juha-matti.laurio@netti.fi>
Date: Wed, 30 Aug 2006 18:11:45 +0300 (EEST)
From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
To: "Geo." <geoincidents@....net>, full-disclosure@...ts.grok.org.uk
Cc: 
Subject: Re: NT4 worm

Are the machines you have experience especially NT4.0 machines?
It appears that one of the PoC's (public on Monday 28th Aug) lists the following information:
"Systems Affected:
*  Microsoft Windows 2000 SP0-SP4
*  Microsoft Windows XP SP0-SP1
*  Microsoft Windows NT 4.0"

but reportedly it is tested against XPSP1 and W2KSP4 systems.

I believe that fully patched NT4SP6a/SRP shipped with Netapi32.dll is affected.

- Juha-Matti


"Geo." <geoincidents@....net> wrote: 
> 
> Has anyone seen a writeup on this new NT4 worm that's spreading via port 139
> MS06-040 yet? I'm seeing customers getting hit by it but I haven't seen any
> real mention of it anywhere yet. It appears to run two CMD.EXE hidden
> windows and sucks up all the cpu in the infected systems trying to spread.
> I've also seen one customer who found csrsc.exe on the machine after the
> worm hit them.
> 
> I did manage to find out once it exploits a machine it uses ftp.exe to
> connect back to the infecting host and transfer something but I've not had
> time to really dig into this thing. Hoping someone else has already. Looks
> like it's spreading pretty quick
> 
> http://isc.incidents.org/port_details.php?port=139&repax=1&tarax=2&srcax=2&p
> ercent=N&days=40
> 
> 
> Geo.
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ