[unisog] Full-on LSASS worm? [was: Apparent spread of LSASS
davidr at portnoy.uchicago.edu
Thu Apr 29 19:27:20 GMT 2004
In the last two hours, we've seen a bunch of hosts all start scanning
out for ports 2745, 135, 1025, 445, 80, 3127, 139, 1433, and 5000.
Coupled with a dramatic rise in the random "lsass.exe terminated"
shutdowns we've come to know and love in the past few days, we're
sure we're seeing one of the new worms, but we're having a hard time
identifying exactly which one this is.
Current McAfee scans aren't proving to be useful.
If someone could help point me in the right direction, I'd be most
David Ressman Network Security Officer
(773) 702-4789 The University of Chicago Network Security Center
More information about the unisog