Network Security: Detailed info on [Full-Disclosure] Heads up: Possible lsass worm in the wild

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security FullDisclosure

[Top] [All Lists]

[Full-Disclosure] Heads up: Possible lsass worm in the wild

from [morning_wood] Network Security

[Permanent Link]

Subject:	[Full-Disclosure] Heads up: Possible lsass worm in the wild
Date:	Thu, 29 Apr 2004 05:31:16 -0700

dropped file: %SYSTEM%/msiwin84.exe
remote process established to: lsass.exe
remote ip:4.x.x.x

note: file msiwin84.was not running


this appears to be a "blaster" type of worm working on the first and / or
second subset of the infected host to begin scanning for more hosts.
I have not completly unpacked the binary but here is some strings.

------------------ snip --------------
DnsFlushResolve
{ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home  cCmd.Net, +MODEW ]m715
522947
6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS enc<5n  clos
*+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s)  tal!x f@m'Q_  IP addrvs3

------------------ snip ---------------

based on the above, the worm / viri tries to connect to a IRC server.

anyone else experiencing this?


morning_wood
http://exploitlabs.com

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-Disclosure] Heads up: Possible lsass worm in the wild, morning_wood <= [Full-Disclosure] Re: [0day] Heads up: Possible lsass worm in the wild, Darren Bounds Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild, insecure Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild, morning_wood Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild, Paul Tinsley [Full-Disclosure] Heads up: Possible lsass worm in the wild, Feher Tamas RE: [Full-Disclosure] Heads up: Possible lsass worm in the wild, Randal, Phil [Full-Disclosure] Heads up: Possible lsass worm in the wild, Feher Tamas [Full-Disclosure] Heads up: Possible lsass worm in the wild, Feher Tamas

Previous by Date:	[Full-Disclosure] [SECURITY] [DSA 496-1] New eterm packages fix indirect arbitrary command execution, debian-security-announce
Next by Date:	[Full-Disclosure] Heads up: Possible lsass worm in the wild, Feher Tamas
Previous by Thread:	[Full-Disclosure] [SECURITY] [DSA 496-1] New eterm packages fix indirect arbitrary command execution, debian-security-announce
Next by Thread:	[Full-Disclosure] Re: [0day] Heads up: Possible lsass worm in the wild, Darren Bounds
Indexes:	[Date] [Thread] [Top] [All Lists]