[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] another new worm submission

To: Christoph Gruber <christoph.gruber@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] another new worm submission
From: Christoph Gruber <christoph.gruber@xxxxxxxxxxxxxxxxxx>
Date: Tue, 8 Jun 2004 11:46:25 +0200

many virusfilters filter *.reg files, so here the TXT version:



-- 
Christoph Gruber, Security WAT1SE
WAVE Solutions Information Technology GmbH 
Nordbergstrasse 13, A - 1090 Wien, Austria
christoph.gruber@xxxxxxxxxxxxxxxxxx
Office: +43 1 71730 53514, Mobile: +43 664 81 22 66 1
PGP-Fingerprint: CCFF 5D66 7073 952C 7AB3  C2DF 435A C85C 558E D42B

full-disclosure-admin@xxxxxxxxxxxxxxxx schrieb am 08.06.2004 10:39:46:

> 
> but I forgot to attach it: 
> 
> 
> 
> -- 
> Christoph Gruber, Senior Security Architect
> WAVE Solutions Information Technology GmbH 
> Nordbergstrasse 13, A - 1090 Wien, Austria
> christoph.gruber@xxxxxxxxxxxxxxxxxx
> Office: +43 1 71730 53514, Mobile: +43 664 81 22 66 1
> PGP-Fingerprint: CCFF 5D66 7073 952C 7AB3  C2DF 435A C85C 558E D42B 
> 
> full-disclosure-admin@xxxxxxxxxxxxxxxx schrieb am 07.06.2004 14:06:21:
> 
> > 
> > -----BEGIN PGP SIGNED MESSAGE----- 
> > Hash: SHA1 
> > 
> > Josh wrote 04.06.2004 21:11:26: 
> > 
> > > http://www.detroit-x.com/analysis.htm 
> > > 
> > > This is something we found this morning. I have packet captures 
> > > that I will post. 
> > > I have attached the infected files found with FPORT and also 
> > > registry entries. 
> > > 
> > > We found this rebooting machines with the LSASS.exe error similar 
> > > to Sasser. As of 6/4/2004 we found no virus defs to pick it up. 
> > > 
> > > 
> > > Joshua Perrymon 
> > > Sr. Network Security Consultant 
> > 
> > Hi there! 
> > 
> > There is another Registry-entry: 
> > 
> > 
> > Cheers! 
> > 
> > - -- 
> > Christoph Gruber, Senior Security Architect 
> > WAVE Solutions Information Technology GmbH 
> > Nordbergstrasse 13, A - 1090 Wien, Austria 
> > christoph.gruber@xxxxxxxxxxxxxxxxxx 
> > Office: +43 1 71730 53514, Mobile: +43 664 81 22 66 1 
> > PGP-Fingerprint: CCFF 5D66 7073 952C 7AB3  C2DF 435A C85C 558E D42B 
> > 
> > 
> > -----BEGIN PGP SIGNATURE----- 
> > Version: PGP 8.0.3 
> > 
> > iQA/AwUBQMRaFkNayFxVjtQrEQKmYwCg4ufJbS1o/5/C73FUSzBQ+D77OXsAoMLD 
> > 82mFBEHVI5D0bGtwTIoLQx9G 
> > =SKaL 
> > -----END PGP SIGNATURE-----[Anhang "reg1.reg" gelöscht von 
> Christoph Gruber/DSI/AT]

ÿþ[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
 NT\CurrentVersion\Winlogon]

"Shell"="explorer.exe 
C:\\WINDOWS\\System32\\svohost.exe"=

References:
- Re: [Full-Disclosure] another new worm submission
  - From: Christoph Gruber

Prev by Date: Re: [Full-Disclosure] another new worm submission
Next by Date: Re: [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability
Previous by thread: Re: [Full-Disclosure] another new worm submission
Next by thread: RE: [Full-Disclosure] another new worm submission
Index(es):
- Date
- Thread