[unisog] Full-on LSASS worm? [was: Apparent spread of LSASS exploitation]

Brian Eckman eckman at umn.edu
Thu Apr 29 19:50:51 GMT 2004

David Ressman wrote:
> Greetings, 
> In the last two hours, we've seen a bunch of hosts all start scanning
> out for ports 2745, 135, 1025, 445, 80, 3127, 139, 1433, and 5000.
> Coupled with a dramatic rise in the random "lsass.exe terminated"
> shutdowns we've come to know and love in the past few days, we're
> sure we're seeing one of the new worms, but we're having a hard time
> identifying exactly which one this is.
> Current McAfee scans aren't proving to be useful.
> If someone could help point me in the right direction, I'd be most
> appreciative.
> Thanks!
> David

It's a variant of Gaobot/Agobot. It's either the following, or something 
just like it.



Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

More information about the unisog mailing list