According to McAfee, this is W32/Gaobot.worm.ali. It is not a "blaster" type worm, as it does not spread completely autonomously. It infects a system, contacts an IRC server, and waits for instructions, one of which can be to search for and infect other vulnerable systems. The IRC server is offline at the moment.dropped file: %SYSTEM%/msiwin84.exe remote process established to: lsass.exe remote ip:4.x.x.x
note: file msiwin84.was not running
this appears to be a "blaster" type of worm working on the first and / or second subset of the infected host to begin scanning for more hosts. I have not completly unpacked the binary but here is some strings.
------------------ snip -------------- DnsFlushResolve {ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home cCmd.Net, +MODEW ]m715 522947 6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS enc<5n clos *+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s) tal!x [EMAIL PROTECTED]'Q_ IP addrvs3
------------------ snip ---------------
based on the above, the worm / viri tries to connect to a IRC server.
anyone else experiencing this?
morning_wood http://exploitlabs.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
See http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
