attached. Andreas Gietl wrote: > "Jerry Heidtke" <jheidtke@fmlh.edu> wrote: > > anybody catched a copy of this new worm? > > >>It may be a new worm/virus. See the symptoms below. >> >>Jerry >> >>http://vil.nai.com/vil/content/v_100559.htm >> >>Virus Characteristics: >> >>This detection is for another virus that exploits the the MS03-026 >>vulnerability. >> >>It is not related to the W32/Lovsan.worm.d variant described here. >> >>The virus is detected by the current Daily DATs as Exploit-DcomRpc virus >>(with scanning of compressed files enabled). >> >>Preliminary Analysis >> >>Initial analysis shows the virus to install within a WINS directory >>which is created in the Windows System directory: >>C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes) >> >>Strings within the virus suggest it copies the TCP/IP trivial file >>transfer daemon (TFTPD.EXE) binary from the dllcache on the victim >>machine to this directory also, renaming it: >>C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE >> >>The following services are installed: >>RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE) >> >>Display name: "WINS Client" >>RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE) >> >>Display name: Network Connections Sharing >> >>Analysis is currently ongoing - description will be updated once >>complete. >>Top of Page >> >>Symptoms >>large volumes of ICMP traffic in network >>existence of the files and Windows services detailed above >> >>Jerry >> >>-----Original Message----- >>From: Abraham, Antony (Cognizant) [mailto:Antony@blr.cognizant.com] >>Sent: Monday, August 18, 2003 9:18 AM >>To: B3r3n@argosnet.com; full-disclosure@lists.netsys.com >>Cc: Frank.Ederveen@canon-europe.com >>Subject: RE: [Full-Disclosure] [UPDATE] ping floods >> >> >>Hi, >> >>We do have the same problem. Incidents.org has recorded the same >>(http://isc.incidents.org/) but not much detail available. >> >>Thanks, >> >>Antony Abraham >> >>-----Original Message----- >>From: B3r3n@argosnet.com [mailto:B3r3n@argosnet.com] >>Sent: Monday, August 18, 2003 6:59 PM >>To: full-disclosure@lists.netsys.com >>Cc: Frank.Ederveen@canon-europe.com >>Subject: [Full-Disclosure] [UPDATE] ping floods >> >>Frank, >> >>Yes, exactly, our ICMP requests are also detected as Cyber kit 2.2 >> >>Seems we share the same problem. >> >>Some others too? >> >>Brgrds >> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.netsys.com/full-disclosure-charter.html >> >>Confidentiality Notice: This e-mail message, including any attachments, >>is for the sole use of the intended recipient(s) and may contain >>confidential and privileged information. Any unauthorized review, use, >>disclosure or distribution is prohibited. If you are not the intended >>recipient, please contact the sender by reply e-mail and destroy all >>copies of the original message. >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.netsys.com/full-disclosure-charter.html >> > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > >
S/MIME Cryptographic Signature