[unisog] Full-on LSASS worm? [was: Apparent spread of LSASS exploitation]

David Ressman davidr at portnoy.uchicago.edu
Thu Apr 29 19:27:20 GMT 2004


Greetings, 

In the last two hours, we've seen a bunch of hosts all start scanning
out for ports 2745, 135, 1025, 445, 80, 3127, 139, 1433, and 5000.
Coupled with a dramatic rise in the random "lsass.exe terminated"
shutdowns we've come to know and love in the past few days, we're
sure we're seeing one of the new worms, but we're having a hard time
identifying exactly which one this is.

Current McAfee scans aren't proving to be useful.

If someone could help point me in the right direction, I'd be most
appreciative.

Thanks!

David

-- 
David Ressman                       Network Security Officer
(773) 702-4789         The University of Chicago Network Security Center



More information about the unisog mailing list