Network Security: Detailed info on Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security FullDisclosure

[Top] [All Lists]

Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild

from [Paul Tinsley] Network Security

[Permanent Link]

Subject:	Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild
Date:	Thu, 29 Apr 2004 15:54:15 -0500

I have seen this one active and in use, it is connecting to
216-110-80-17.gen.twtelecom.net on port 6667.  I connected to the
server and found several interestingly named channels with
interestingly named clients in them:

Channel names:
#!tenzkor  #[psy]- prefix to each client
#!!s32       #[eduz]- prefix to each client
#!rifkraca  #exc prefix to each client

On Thu, 29 Apr 2004 12:22:27 -0700, morning_wood <se_cur_ity@hotmail.com> wrote:


i think the importaint thing here is that this was dropped via an lsass 
exploit,
not that it is a specific type of viral agent ( agobot ) included in the drop.

for those interested in a sample, it may be obtained at
http://exploit.nothackers.org/msiwin84-lsass.zip



morning_wood
http://exploitlabs.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-Disclosure] Heads up: Possible lsass worm in the wild, morning_wood [Full-Disclosure] Re: [0day] Heads up: Possible lsass worm in the wild, Darren Bounds Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild, insecure Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild, morning_wood Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild, Paul Tinsley <= [Full-Disclosure] Heads up: Possible lsass worm in the wild, Feher Tamas RE: [Full-Disclosure] Heads up: Possible lsass worm in the wild, Randal, Phil [Full-Disclosure] Heads up: Possible lsass worm in the wild, Feher Tamas [Full-Disclosure] Heads up: Possible lsass worm in the wild, Feher Tamas

Previous by Date:	[Full-Disclosure] [OpenPKG-SA-2004.017] OpenPKG Security Advisory (png), OpenPKG
Next by Date:	Re: [Full-Disclosure] viruses being sent to list, Gary E. Miller
Previous by Thread:	Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild, morning_wood
Next by Thread:	[Full-Disclosure] Heads up: Possible lsass worm in the wild, Feher Tamas
Indexes:	[Date] [Thread] [Top] [All Lists]