[unisog] Apparent spread of LSASS exploitation

Edward W. Ray support at mmicman.com
Wed Apr 28 19:21:29 GMT 2004


Not sure if it does both, however based upon my source, I suspect it does.
Check out the ".c" binary, which should give you a clue as to which ports it
attacks. 

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Gary Flynn
Sent: Wednesday, April 28, 2004 9:56 AM
To: UNIversity System Operators Group Mailing list
Subject: Re: [unisog] Apparent spread of LSASS exploitation

Lang, Michael wrote:

>I have it and sent a copy to ISC, I can send a copy to anyone who wants it.
>
>Symantec detects it as W32.Gaobot.AFJ in the liveupdate released within the
hour.
>  
>
Do you know if it scans port 135 or 445 like previous versions?
The reason I ask is that is how I'm detecting and quarantining infected
computers.

thanks,

Gary Flynn
Security Engineer
James Madison University


_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog




More information about the unisog mailing list