attached.
Andreas Gietl wrote:
"Jerry Heidtke" <[EMAIL PROTECTED]> wrote:
anybody catched a copy of this new worm?
It may be a new worm/virus. See the symptoms below.
Jerry
http://vil.nai.com/vil/content/v_100559.htm
Virus Characteristics:
This detection is for another virus that exploits the the MS03-026 vulnerability.
It is not related to the W32/Lovsan.worm.d variant described here.
The virus is detected by the current Daily DATs as Exploit-DcomRpc virus (with scanning of compressed files enabled).
Preliminary Analysis
Initial analysis shows the virus to install within a WINS directory
which is created in the Windows System directory:
C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes)
Strings within the virus suggest it copies the TCP/IP trivial file
transfer daemon (TFTPD.EXE) binary from the dllcache on the victim
machine to this directory also, renaming it:
C:\WINNT\SYSTEM32\WINS\SVCHOST.EXE
The following services are installed: RpcPatch Set to run the installed copy of the worm (DLLHOST.EXE)
Display name: "WINS Client"
RpcTftpd Set to run the copy of the TFTPD application (SVCHOST.EXE)
Display name: Network Connections Sharing
Analysis is currently ongoing - description will be updated once
complete.
Top of Page
Symptoms large volumes of ICMP traffic in network existence of the files and Windows services detailed above
Jerry
-----Original Message-----
From: Abraham, Antony (Cognizant) [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2003 9:18 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] [UPDATE] ping floods
Hi,
We do have the same problem. Incidents.org has recorded the same (http://isc.incidents.org/) but not much detail available.
Thanks,
Antony Abraham
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, August 18, 2003 6:59 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [Full-Disclosure] [UPDATE] ping floods
Frank,
Yes, exactly, our ICMP requests are also detected as Cyber kit 2.2
Seems we share the same problem.
Some others too?
Brgrds
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Nachi.zip
Description: Zip compressed data
Description: S/MIME Cryptographic Signature
