"Jerry Heidtke" <[EMAIL PROTECTED]> wrote: anybody catched a copy of this new worm?
> > It may be a new worm/virus. See the symptoms below. > > Jerry > > http://vil.nai.com/vil/content/v_100559.htm > > Virus Characteristics: > > This detection is for another virus that exploits the the MS03-026 > vulnerability. > > It is not related to the W32/Lovsan.worm.d variant described here. > > The virus is detected by the current Daily DATs as Exploit-DcomRpc virus > (with scanning of compressed files enabled). > > Preliminary Analysis > > Initial analysis shows the virus to install within a WINS directory > which is created in the Windows System directory: > C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes) > > Strings within the virus suggest it copies the TCP/IP trivial file > transfer daemon (TFTPD.EXE) binary from the dllcache on the victim > machine to this directory also, renaming it: > C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE > > The following services are installed: > RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE) > > Display name: "WINS Client" > RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE) > > Display name: Network Connections Sharing > > Analysis is currently ongoing - description will be updated once > complete. > Top of Page > > Symptoms > large volumes of ICMP traffic in network > existence of the files and Windows services detailed above > > Jerry > > -----Original Message----- > From: Abraham, Antony (Cognizant) [mailto:[EMAIL PROTECTED] > Sent: Monday, August 18, 2003 9:18 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] [UPDATE] ping floods > > > Hi, > > We do have the same problem. Incidents.org has recorded the same > (http://isc.incidents.org/) but not much detail available. > > Thanks, > > Antony Abraham > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, August 18, 2003 6:59 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: [Full-Disclosure] [UPDATE] ping floods > > Frank, > > Yes, exactly, our ICMP requests are also detected as Cyber kit 2.2 > > Seems we share the same problem. > > Some others too? > > Brgrds > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > Confidentiality Notice: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply e-mail and destroy all > copies of the original message. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
