Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild

From: insecure (insecure_at_ameritech.net)
Date: 04/29/04

Next message: Cedric Blancher: "Re: [Full-Disclosure] Exploit Identification Request"

Previous message: Willem Koenings: "[Full-Disclosure] agobot and 1025"
In reply to: morning_wood: "[Full-Disclosure] Heads up: Possible lsass worm in the wild"
Next in thread: morning_wood: "Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild"
Reply: morning_wood: "Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: morning_wood <se_cur_ity@hotmail.com>
Date: Thu, 29 Apr 2004 09:30:38 -0500

morning_wood wrote:

>dropped file: %SYSTEM%/msiwin84.exe
>remote process established to: lsass.exe
>remote ip:4.x.x.x
>
>note: file msiwin84.was not running
>
>
>this appears to be a "blaster" type of worm working on the first and / or
>second subset of the infected host to begin scanning for more hosts.
>I have not completly unpacked the binary but here is some strings.
>
>------------------ snip --------------
>DnsFlushResolve
>{ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home cCmd.Net, +MODEW ]m715
>522947
>6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS enc<5n clos
>*+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s) tal!x f@m'Q_ IP addrvs3
>
>------------------ snip ---------------
>
>based on the above, the worm / viri tries to connect to a IRC server.
>
>anyone else experiencing this?
>
>
>morning_wood
>http://exploitlabs.com
>
>
>
>
>
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
According to McAfee, this is W32/Gaobot.worm.ali. It is not a "blaster"
type worm, as it does not spread completely autonomously. It infects a
system, contacts an IRC server, and waits for instructions, one of which
can be to search for and infect other vulnerable systems. The IRC server
is offline at the moment.

See http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Cedric Blancher: "Re: [Full-Disclosure] Exploit Identification Request"

Previous message: Willem Koenings: "[Full-Disclosure] agobot and 1025"
In reply to: morning_wood: "[Full-Disclosure] Heads up: Possible lsass worm in the wild"
Next in thread: morning_wood: "Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild"
Reply: morning_wood: "Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]