Re: new IIS worm? (rcp lsass.exe)

[Nick FitzGerald <nick () virus-l demon co uk>]

Michael Thompson <mike () thompsonmike co uk> wrote:

> lsass.exe is the Microsoft Secure Storage for 2000/NT and XP. It is
> responsable for managing secure storage in those enviroments.

Even when it is being scripted via an old IIS exploit to be copied 
around the Internet?

Even when it is only about 9KB and the one in Win2K SP3 is 33,552 
bytes?

Come on -- a rudimentary analysis of the situation without even 
seeing the file suggests that is not the case _here_.

Then, when you look at the file that is being rcp-ed around, the 
first thing you notice is that it is UPX packed -- again, something 
MS is not renowned for doing to its core OS components but something 
commonly done to obfuscate malware from casual analysis...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com