Re: New LSASS-based worm finally here (Sasser)

From: Javier Fernandez-Sanguino (jfernandez_at_germinus.com)
Date: 05/03/04

  • Next message: Matt Wagenknecht: "Re: [Full-Disclosure] Sasser skips 10.x.x.x Why?"
    Date: Mon, 03 May 2004 10:45:35 +0200
    To: Ben Ryan <ben@bssc.edu.au>
    
    

    Ben Ryan wrote:

    > As expected, LSASS exploit-based worm seems to have arrived. Fasten your
    > seatbelts, those unpatched please use the spew bags provided :)
    > I hope PSS resolves the issues discussed in KB835732.

    What's more disturbing is that this worm has established a new record
    for Microsoft worms [1]. Blaster was the fastest worm (25 days since
    the patch was published to the worm), this one has been even faster
    (17 days for the first variant since the patch was published to the
    worm). Of course, I'm not considering the fact that this issue was
    known, at least to eEye and Microsoft, for over 5 months.

    Regards

    Javier

    [1] Approaching the record of worms in other OS, which, I believe, is
    held by Scalper (10 days from patch to worm). But hey, they could
    browse the source changes for that one.


  • Next message: Matt Wagenknecht: "Re: [Full-Disclosure] Sasser skips 10.x.x.x Why?"

    Relevant Pages

    • RE: disinfection tool
      ... > Perhaps a very controversial viewpoint is using the backdoor installed by the ... > copycat code red worm to patch these systems. ... > This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • Re: Will patch fix an already affected computer
      ... The patch will fix the vulnerability, but won't remove the worm. ... Windows XP, Windows 2000, Windows Server 2003, Windows NT ...
      (microsoft.public.security)
    • Re: rpc errors
      ... Nice advice, but note that if you have the worm, installing the patch isn't ... Windows XP, Windows 2000, Windows Server 2003, Windows NT ... Anti-Virus vendor to detect new viruses and their variants. ...
      (microsoft.public.win2000.security)
    • Re: ICF
      ... No I have not being able to run the patch for the Blaster ... >Disinfecting from the Blaster worm also requires that you ... >without the firewall, ...
      (microsoft.public.security.virus)
    • [Full-Disclosure] RE: Full-Disclosure digest, new LSASS - Javier
      ... There I was getting ready to patch ... To: Ben Ryan ... LSASS exploit-based worm seems to have arrived. ... for Microsoft worms. ...
      (Full-Disclosure)