[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild
- To: morning_wood <se_cur_ity@xxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild
- From: Paul Tinsley <jackhammer@xxxxxxxxx>
- Date: Thu, 29 Apr 2004 15:54:15 -0500
I have seen this one active and in use, it is connecting to
216-110-80-17.gen.twtelecom.net on port 6667. I connected to the
server and found several interestingly named channels with
interestingly named clients in them:
Channel names:
#!tenzkor #[psy]- prefix to each client
#!!s32 #[eduz]- prefix to each client
#!rifkraca #exc prefix to each client
On Thu, 29 Apr 2004 12:22:27 -0700, morning_wood <se_cur_ity@xxxxxxxxxxx> wrote:
>
> i think the importaint thing here is that this was dropped via an lsass
> exploit,
> not that it is a specific type of viral agent ( agobot ) included in the drop.
>
> for those interested in a sample, it may be obtained at
> http://exploit.nothackers.org/msiwin84-lsass.zip
>
>
>
> morning_wood
> http://exploitlabs.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html