[Full-Disclosure] Re: [0day] Heads up: Possible lsass worm in the wild

From: Darren Bounds (dbounds_at_intrusense.com)
Date: 04/29/04

Next message: Oliver Raymond: "Re: [Full-Disclosure] Exploit Identification Request"

Previous message: Michael Guenther: "Re: [Full-Disclosure] Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++>"
In reply to: morning_wood: "[Full-Disclosure] Heads up: Possible lsass worm in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 0day <0day@nothackers.org>
Date: Thu, 29 Apr 2004 09:37:23 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I believe that's actually a new AGOBOT variant. As far as I know it
actually exploits the MS PCT vulnerability. It also modifies the HOSTS
file to redirect AV vendor addresses to localhost.

Thanks,

Darren Bounds, CISSP

443D 628D 0AC7 CACF 6085
C0E0 B2FC 534B 3D9E 69AF

- --
Intrusense - Securing Business As Usual

On Apr 29, 2004, at 8:31 AM, morning_wood wrote:

> -= 0day - Freedom of Voice - Freedom of Choice =-
>
> dropped file: %SYSTEM%/msiwin84.exe
> remote process established to: lsass.exe
> remote ip:4.x.x.x
>
> note: file msiwin84.was not running
>
>
> this appears to be a "blaster" type of worm working on the first and /
> or
> second subset of the infected host to begin scanning for more hosts.
> I have not completly unpacked the binary but here is some strings.
>
> ------------------ snip --------------
> DnsFlushResolve
> {ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home cCmd.Net, +MODEW
> ]m715
> 522947
> 6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS
> enc<5n clos
> *+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s) tal!x f@m'Q_ IP addrvs3
>
> ------------------ snip ---------------
>
> based on the above, the worm / viri tries to connect to a IRC server.
>
> anyone else experiencing this?
>
>
> morning_wood
> http://exploitlabs.com
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> 0day mailing list
> 0day@nothackers.org
> http://nothackers.org/mailman/listinfo/0day
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAkQUWsvxTSz2eaa8RAiM4AKC9WqFOz2fryj6x0rtr+xXfm1QSCwCfcN/R
hyHgPFkDfqvUw/F8eNr3TC0=
=5NIA
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Oliver Raymond: "Re: [Full-Disclosure] Exploit Identification Request"

Previous message: Michael Guenther: "Re: [Full-Disclosure] Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++>"
In reply to: morning_wood: "[Full-Disclosure] Heads up: Possible lsass worm in the wild"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]