[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Heads up: Possible lsass worm in the wild

To: "0day" <0day@xxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] Heads up: Possible lsass worm in the wild
From: "morning_wood" <se_cur_ity@xxxxxxxxxxx>
Date: Thu, 29 Apr 2004 05:31:16 -0700

dropped file: %SYSTEM%/msiwin84.exe
remote process established to: lsass.exe
remote ip:4.x.x.x

note: file msiwin84.was not running


this appears to be a "blaster" type of worm working on the first and / or
second subset of the infected host to begin scanning for more hosts.
I have not completly unpacked the binary but here is some strings.

------------------ snip --------------
DnsFlushResolve
{ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home  cCmd.Net, +MODEW ]m715
522947
6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS enc<5n  clos
*+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s)  tal!x f@m'Q_  IP addrvs3

------------------ snip ---------------

based on the above, the worm / viri tries to connect to a IRC server.

anyone else experiencing this?


morning_wood
http://exploitlabs.com








_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild
  - From: insecure
- [Full-Disclosure] Re: [0day] Heads up: Possible lsass worm in the wild
  - From: Darren Bounds

Prev by Date: [Full-Disclosure] [SECURITY] [DSA 496-1] New eterm packages fix indirect arbitrary command execution
Next by Date: [Full-Disclosure] Heads up: Possible lsass worm in the wild
Previous by thread: [Full-Disclosure] [SECURITY] [DSA 496-1] New eterm packages fix indirect arbitrary command execution
Next by thread: Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild
Index(es):
- Date
- Thread