[unisog] Apparent spread of LSASS exploitation

Edward W. Ray support at mmicman.com
Wed Apr 28 19:20:00 GMT 2004


The virus binary is in the ".c" program 

-----Original Message-----
From: Phillip G Deneault [mailto:deneault at WPI.EDU] 
Sent: Wednesday, April 28, 2004 10:00 AM
To: support at mmicman.com; UNIversity System Operators Group Mailing list
Subject: RE: [unisog] Apparent spread of LSASS exploitation

This is the exploit, not the virus binary.  It probably works just as good
though. :-)

Phil

On Wed, 28 Apr 2004, Edward W. Ray wrote:

> Here is a copy. 
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org]
> On Behalf Of Jason Alexander
> Sent: Wednesday, April 28, 2004 8:37 AM
> To: UNIversity System Operators Group Mailing list
> Subject: Re: [unisog] Apparent spread of LSASS exploitation
> 
> Has anyone managed to capture a copy of this variant.  I haven't seen 
> much in the way of talk on any other lists about this variant.
> 
> Thanks
> Jason Alexander
> 
> Phil Rodrigues wrote:
> > Hi all,
> > 
> > The Internet Storm Center posted that some .edu's have seen what 
> > appears to be a mass exploitation of their systems with a variant of 
> > the PolyBot worm that uses the LSASS exploit:
> > 
> > http://isc.incidents.org/diary.php?date=2004-04-27
> > 
> 
> 
> ---------
> Jason Alexander
> Sr. Security Analyst
> The University of Iowa
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Phil Deneault     "We work in the dark, We do what we can,
deneault at wpi.edu   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            madness of art." - Henry James
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-





More information about the unisog mailing list