[Dshield] MSblast Version A B and C...

Johannes B. Ullrich jullrich at sans.org
Thu Aug 14 23:27:34 GMT 2003


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


I just posted Chris's very detailed analysis to the
handlers diary. See the link at
http://isc.sans.org/dairy.html?date=2003-08-14



On Thu, 2003-08-14 at 16:33, Bakota Peter wrote:
> Hello!
> 
> Can you send me a copy of your analysis of version A.?
> Thanx
> 
> Peter
> 
> ----- Original Message -----
> From: "Chris Ream" <chrisr at stopthemcold.com>
> To: "'General DShield Discussion List'" <list at dshield.org>
> Sent: Thursday, August 14, 2003 6:18 PM
> Subject: [Dshield] MSblast Version A B and C...
> 
> 
> > Ok, this is a strange request but I have just trapped a new version of
> > msblast in the wild. Looks like a version D! I will be testing this new
> > strain but I have a suspicion that there are others out there as well.
> > This one loaded as msblast.exe but it didn't have the same md5 checksum
> > and appears to install a backdoor on port 31337 (stupid).
> >
> > I am making a group request to send me any and all versions you have. I
> > will provide a web-site for anyone interested in this to download them
> > from. Even if you think I already have a copy of the one you have please
> > send it anyway. I want to be sure.
> >
> > By the way, I also have the completed analysis of version A in pdf
> > format if anyone wants a copy.
> >
> > Take care,
> > Chris.
> >
> > Please send all virus'/worms to chrisr at stopthemcold.com (weird request
> > huh?)
> >
> >
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/PBrlR1p7hYJvB/wRAtZzAJ418+RSSwexto5mpuUpqma0K2UWzwCfTNsu
8AZuT5b7PK5vcKfl/N4SWbkÏhn
-----END PGP SIGNATURE-----

--
SHA1



More information about the list mailing list