http://www.detroit-x.com/analysis.htmMcAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is not a worm, it's a trojan. Your systems are being remotely compromised, possibly with an auto-rooter targeting the lsass vulnerability, which instructs the compromised system to download, install, and run this trojan. This trojan includes a keystroke logger, and additional components that you seem to have missed. Assume that system and any web site passwords have been compromised. Warn the users of these systems that unless they change any financial site passwords they are likely to be victims of theft.
This is something we found this morning. I have packet captures that I will post. I have attached the infected files found with FPORT and also registry entries.
We found this rebooting machines with the LSASS.exe error similar to Sasser. As of 6/4/2004 we found no virus defs to pick it up.
Joshua Perrymon Sr. Network Security Consultant
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html