I have seen this one active and in use, it is connecting to 216-110-80-17.gen.twtelecom.net on port 6667. I connected to the server and found several interestingly named channels with interestingly named clients in them:
Channel names: #!tenzkor #[psy]- prefix to each client #!!s32 #[eduz]- prefix to each client #!rifkraca #exc prefix to each client On Thu, 29 Apr 2004 12:22:27 -0700, morning_wood <[EMAIL PROTECTED]> wrote: > > i think the importaint thing here is that this was dropped via an lsass exploit, > not that it is a specific type of viral agent ( agobot ) included in the drop. > > for those interested in a sample, it may be obtained at > http://exploit.nothackers.org/msiwin84-lsass.zip > > > > morning_wood > http://exploitlabs.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
