[Dshield] infocon: yellow

haled@longlines.com haled at longlines.com
Mon Aug 11 20:41:00 GMT 2003


Iowa is getting hammered right now.  I have talked to a couple of the offending ISP's and they said that they are getting calls from customers who say that the customer is getting an error that says that they have to reboot.  

Deb 


>FYI: Its started here in NZ at 02:30 local time
>
>------------------------------------------
>Andy Hopkins
>Senior Unix & Firewall Administrator
>healthAlliance
>
>(+64) (9) 486 8944
>(+64) (25) 285 2139
>
>Disclaimer:
>The views and information expressed in this e-Mail are actually mine,
>because my partner says so!
>healthAlliance doesn't necessarily agree with me either
>
>
>
>-----Original Message-----
>From: Johannes B. Ullrich [mailto:jullrich at sans.org]
>Sent: Tuesday, 12 August 2003 06:24
>To: list at dshield.org
>Subject: [Dshield] infocon: yellow
>
>
>This message was converted from multipart/signed to ascii armored
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Content-Type: text/plain
>Content-Transfer-Encoding: quoted-printable
>
>We just got a binary that looks very much like an
>RPC worm. It scans for port 135. No real idea what it does (other than
>scanning).
>
>Strings from the file:
>
>msblast.exe
>I just want to say LOVE YOU SAN!!
>billy gates why do you make this possible ? 
> Stop making money and fix your software
>windowsupdate.com
>
>BILLY
>windows auto update
>SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>tftp -i %s GET %s
>
>
>
>
>-- 
>SANS - Internet Storm Center
>http://isc.sans.org
>PGP Key: http://isc.sans.org/jullrich.txt
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.1 (GNU/Linux)
>
>iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
>FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----
>
>--
>SHA1
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

-------------------
Email sent using Long Lines Web Mail (http://www.longlines.com/)





More information about the list mailing list