Re: No one else seeing the new MS05-039 worm yet?

[Matt <smp.repicky () gmail com>]

Whatever you posted isn't anything "new." Look at what it's exploiting. It's 
LSASS and DCOM rolled up with PnP of this months. Which is Plug and Play not 
even UNIVERSAL PnP. So if it's scanning on port 5000 it's not gonna do 
anything. It needs to be looking on 445.
 The actual MS05-039 worm is nicknamed Zotob as released Aug 14th and has 
done considerable damage. Whatever this thing is that you've posted isn't 
worth looking at twice if those details are accurrate.
 http://www.securityfocus.com/news/11297 (*link to the arrest reported on 
SecurityFocus of the writers of the worm*)
  --

 On 8/30/05, fd () ew nsci us <fd () ew nsci us> wrote: 
> On Mon, 29 Aug 2005, Vic Vandal wrote:
>
> > I guess one can call it the Katrina worm until something better comes
> > along.
> > [...]
> > - Sticks a long line of hosts resolving to broadcast address in:
> > C:\WINNT\System32\Drivers\etc in hosts file.
>
> Do we still have huge smurf networks in the wild or has that pretty much
> been resolved? A well coordinated smurf from a bunch of hosts as feeding
> points could make a spectacular DoS.
>
>
> --
> Eric Wheeler
> Vice President
> National Security Concepts, Inc.
> PO Box 3567
> Tualatin, OR 97062
>
> http://www.nsci.us/
> Voice: (503) 293-7656
> Fax: (503) 885-0770
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/