[Dshield] infocon: yellow

Danny drh26 at drexel.edu
Tue Aug 12 01:47:42 GMT 2003


Hey Johannes, can i grab a copy of this, the directory is password 
protected and I'd love to work out a way to contain this nasty on 
campus so that i may be able to possibly get some sleep tonight.

Danny
Network Security Engineer
Drexel University


On Monday, August 11, 2003, at 03:58  PM, Johannes Ullrich wrote:

> http://johannes.homepc.org/viruszoo/msblast.zip
> please let me know what you find.
>
>
>
> On Mon, 2003-08-11 at 15:26, Mrcorp wrote:
>> any chance of getting the worm in a zip file for further analysis?
>>
>> Thank you,
>>
>> Charles
>>
>> --- "Johannes B. Ullrich" <jullrich at sans.org> wrote:
>>> This message was converted from multipart/signed to ascii armored
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Content-Type: text/plain
>>> Content-Transfer-Encoding: quoted-printable
>>>
>>> We just got a binary that looks very much like an
>>> RPC worm. It scans for port 135. No real idea what it does (other 
>>> than
>>> scanning).
>>>
>>> Strings from the file:
>>>
>>> msblast.exe
>>> I just want to say LOVE YOU SAN!!
>>> billy gates why do you make this possible ?
>>>  Stop making money and fix your software
>>> windowsupdate.com
>>>
>>> BILLY
>>> windows auto update
>>> SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>>> tftp -i %s GET %s
>>>
>>>
>>>
>>>
>>> -- 
>>> SANS - Internet Storm Center
>>> http://isc.sans.org
>>> PGP Key: http://isc.sans.org/jullrich.txt
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.2.1 (GNU/Linux)
>>>
>>> iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
>>> FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----
>>>
>>> --
>>> SHA1
>>> _______________________________________________
>>> list mailing list
>>> list at dshield.org
>>> To change your subscription options (or unsubscribe), see:
>> http://www.dshield.org/mailman/listinfo/list
>>
>>
>> __________________________________
>> Do you Yahoo!?
>> Yahoo! SiteBuilder - Free, easy-to-use web site design software
>> http://sitebuilder.yahoo.com
>>
>> _______________________________________________
>> list mailing list
>> list at dshield.org
>> To change your subscription options (or unsubscribe), see: 
>> http://www.dshield.org/mailman/listinfo/list
> -- 
> --------------------------------------------------------------
> Johannes Ullrich                     jullrich at euclidian.com
> pgp key: http://johannes.homepc.org/PGPKEYS
> --------------------------------------------------------------
>    "We regret to inform you that we do not enable any of the
>     security functions within the routers that we install."
>          support at covad.net
> --------------------------------------------------------------
>
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list