[Dshieldannounce] likely RPC worm captured. Moving to infocon
'yellow'
Johannes B. Ullrich
jullrich at sans.org
Mon Aug 11 19:28:40 UTC 2003
This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
We received a copy of a binary that very much looks
like an RPC worm. Preliminary info:
- scans for port 135 as soon as it starts
- scans IPs sequentially (likely stating at a random
point)
more details will be posted at http://isc.sans.org as
they become available. Please submit code captures
and the like to 'handlers at sans.org'
--
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt
-------BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/N+5nR1p7hYJvB/wRAiHoAJ4hFhzPKKZSPuM5wBgU27jecBt4NQCfSsqQ
ShZovT65Uq41F+YvP98lwwUZA3
-----END PGP SIGNATURE-----
--
SHA1
More information about the Dshieldannounce
mailing list