[Full-Disclosure] Heads up: Possible lsass worm in the wild
morning_wood
se_cur_ity at hotmail.com
Thu Apr 29 13:31:16 BST 2004
dropped file: %SYSTEM%/msiwin84.exe
remote process established to: lsass.exe
remote ip:4.x.x.x
note: file msiwin84.was not running
this appears to be a "blaster" type of worm working on the first and / or
second subset of the infected host to begin scanning for more hosts.
I have not completly unpacked the binary but here is some strings.
------------------ snip --------------
DnsFlushResolve
{ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home cCmd.Net, +MODEW ]m715
522947
6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS enc<5n clos
*+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s) tal!x f at m'Q_ IP addrvs3
------------------ snip ---------------
based on the above, the worm / viri tries to connect to a IRC server.
anyone else experiencing this?
morning_wood
http://exploitlabs.com
Full-Disclosure is hosted and sponsored by Secunia.