[Dshield] infocon: yellow

Johannes Ullrich jullrich at euclidian.com
Mon Aug 11 19:58:53 GMT 2003


http://johannes.homepc.org/viruszoo/msblast.zip
please let me know what you find.



On Mon, 2003-08-11 at 15:26, Mrcorp wrote:
> any chance of getting the worm in a zip file for further analysis?
> 
> Thank you,
> 
> Charles
> 
> --- "Johannes B. Ullrich" <jullrich at sans.org> wrote:
> > This message was converted from multipart/signed to ascii armored
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Content-Type: text/plain
> > Content-Transfer-Encoding: quoted-printable
> > 
> > We just got a binary that looks very much like an
> > RPC worm. It scans for port 135. No real idea what it does (other than
> > scanning).
> > 
> > Strings from the file:
> > 
> > msblast.exe
> > I just want to say LOVE YOU SAN!!
> > billy gates why do you make this possible ? 
> >  Stop making money and fix your software
> > windowsupdate.com
> > 
> > BILLY
> > windows auto update
> > SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> > tftp -i %s GET %s
> > 
> > 
> > 
> > 
> > -- 
> > SANS - Internet Storm Center
> > http://isc.sans.org
> > PGP Key: http://isc.sans.org/jullrich.txt
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > 
> > iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
> > FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----
> > 
> > --
> > SHA1
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list