Full Disclosure mailing list archives
Re: No one else seeing the new MS05-039 worm yet?
From: Matt <smp.repicky () gmail com>
Date: Thu, 1 Sep 2005 16:52:19 -0400
Whatever you posted isn't anything "new." Look at what it's exploiting. It's LSASS and DCOM rolled up with PnP of this months. Which is Plug and Play not even UNIVERSAL PnP. So if it's scanning on port 5000 it's not gonna do anything. It needs to be looking on 445. The actual MS05-039 worm is nicknamed Zotob as released Aug 14th and has done considerable damage. Whatever this thing is that you've posted isn't worth looking at twice if those details are accurrate. http://www.securityfocus.com/news/11297 (*link to the arrest reported on SecurityFocus of the writers of the worm*) -- On 8/30/05, fd () ew nsci us <fd () ew nsci us> wrote:
On Mon, 29 Aug 2005, Vic Vandal wrote:I guess one can call it the Katrina worm until something better comes along. [...] - Sticks a long line of hosts resolving to broadcast address in: C:\WINNT\System32\Drivers\etc in hosts file.Do we still have huge smurf networks in the wild or has that pretty much been resolved? A well coordinated smurf from a bunch of hosts as feeding points could make a spectacular DoS. -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: No one else seeing the new MS05-039 worm yet? Matt (Sep 01)