[unisog] Re: LSASS exploitation - more info

Brian Eckman eckman at umn.edu
Thu Apr 29 19:56:33 GMT 2004


marchany at vt.edu wrote:
> A version of the LSASS exploit program can be found at:
> http://www.securitylab.ru/44913.html (Thanks to Alexander on the 
> full-discloure list)
> 
> --------------------------
> 
> 
> We found 2 binaries on the infected machines called uu.exe and soundcontrl.exe.
> 
> uu.exe appears to be a version of PhatBNC and it has the following list of 
> hosts imbedded in it:
> 
> www.ryan1918.net
> www.ryan1918.org
> www.ryan1918.com
> yahoo.co.jp
> www.nifty.com
> www.d1asia.com
> www.st.lib.keio.ac.jp
> www.lib.nthu.edu.tw
> www.above.net
> www.level3.com
> nitro.ucsc.edu
> www.burst.net
> www.cogentco.com
> www.rit.edu
> www.nocster.com
> www.verio.com
> www.stanford.edu
> www.xo.net
> de.yahoo.com
> www.belwue.de
> www.switch.ch
> www.1und1.de
> verio.fr
> www.utwente.nl
> www.schlund.net


Those are the same hosts listed in this variant of Gaobot:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006

I'd bet that's what it is, and not PhatBNC...

Brian
-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota




More information about the unisog mailing list