[Dshield] infocon: yellow

Mrcorp mrcorp at yahoo.com
Mon Aug 11 19:26:31 GMT 2003


any chance of getting the worm in a zip file for further analysis?

Thank you,

Charles

--- "Johannes B. Ullrich" <jullrich at sans.org> wrote:
> This message was converted from multipart/signed to ascii armored
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
> 
> We just got a binary that looks very much like an
> RPC worm. It scans for port 135. No real idea what it does (other than
> scanning).
> 
> Strings from the file:
> 
> msblast.exe
> I just want to say LOVE YOU SAN!!
> billy gates why do you make this possible ? 
>  Stop making money and fix your software
> windowsupdate.com
> 
> BILLY
> windows auto update
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> tftp -i %s GET %s
> 
> 
> 
> 
> -- 
> SANS - Internet Storm Center
> http://isc.sans.org
> PGP Key: http://isc.sans.org/jullrich.txt
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
> FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----
> 
> --
> SHA1
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com




More information about the list mailing list