[unisog] Full-on LSASS worm? [was: Apparent spread
Young, Beth A.
youngba at more.net
Fri Apr 30 14:42:16 GMT 2004
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Lang, Michael
> Sent: Friday, April 30, 2004 7:21 AM
> To: UNIversity Security Operations Group
> Subject: RE: [unisog] Full-on LSASS worm? [was: Apparent
> spread ofLSASS exploitation]
> We found a great way to detect our infected hosts. It seams
> that every infected host (W32.Gaobot.AFJ) on our network does
> a dns lookup for:
> It's trivial to go through the dns server and look for the
> IPs making those requests...
We have a variant that is (was) trying to connect to 126.96.36.199.
We black-holed that IP address so the infected machines can't get
instructions from the IRC server and we are now in the process of
cleaning up the mess.
Beth Young, CISSP
More information about the unisog