Re: new Gaobot variant??
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 04/29/04
- Next message: Phil Weldon: "Re: How to turn off the "File System Real-time Protection" in Symantec Antivirus Corporate Edition?"
- Previous message: righter: "Re: Are Antivirus software companies like the Mafia?"
- In reply to: PHiL M.: "new Gaobot variant??"
- Next in thread: PHiL M.: "Re: new Gaobot variant??"
- Reply: PHiL M.: "Re: new Gaobot variant??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 29 Apr 2004 07:23:00 -0400
"PHiL M." <@.com.hk> wrote in message
news:eNASelaLEHA.3696@TK2MSFTNGP09.phx.gbl...
> Have I identified the virus correctly? Thanks.
Well, it's far preferable to identify viruses by using one or more different
anti-virus scanners with the latest updates, and submitting the relevant
files to anti-virus vendors if nothing is found.
> 5. Some even reported LSASS.exe error and shuts down in 60 seconds (but
> not sure if it is related to the others).
Well, that's disturbing. Possibly related to this:
MS04-011: PhatBot exploiting LSASS?
http://msmvps.com/harrywaldron/posts/5594.aspx
http://www.incidents.org/diary.php?date=2004-04-27
The ISC has come into possession of what appears to be a new version of
PhatBot that contains code to exploit the LSASS (LSASS: Local Security
Authority Subsystem Service) vulnerabilities patched under MS04-11.
Reference these old diary entries:
http://isc.sans.org/diary.php?date=2004-04-26
http://isc.sans.org/diary.php?date=2004-04-25
We are currently focusing on some keywords found in the executable that
indicate that an LSASS exploit has been added, specifically, the command
string "CScannerLSASS". We are currently investigating the code, and will
update the diary as new information becomes available. Traffic matching
this bot was first observed yesterday evening (EDT) at multiple US .edu's.
The bot appears to inherit all other functions usually associated with
'phatbot'.
http://www.incidents.org/diary.php?date=2004-04-28
W32.Gaobot.AFJ
Some news about yesterdays diary about "Phatbot exploiting LSASS". The
binary was identified today by Symantec beta virus definition as
W32.Gaobot.AFJ.
This is the not the end...we received information about another yet
variation that is not identified by this beta virus defs. As reported in
previous diaries, the source code of the worm is available on the
underground, and continuous and more controlled / dangerous versions are
expected.
- Next message: Phil Weldon: "Re: How to turn off the "File System Real-time Protection" in Symantec Antivirus Corporate Edition?"
- Previous message: righter: "Re: Are Antivirus software companies like the Mafia?"
- In reply to: PHiL M.: "new Gaobot variant??"
- Next in thread: PHiL M.: "Re: new Gaobot variant??"
- Reply: PHiL M.: "Re: new Gaobot variant??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
