Security Incidents mailing list archives
Re: new IIS worm? (rcp lsass.exe)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 24 Sep 2002 05:32:25 +1200
Michael Thompson <mike () thompsonmike co uk> wrote:
lsass.exe is the Microsoft Secure Storage for 2000/NT and XP. It is responsable for managing secure storage in those enviroments.
Even when it is being scripted via an old IIS exploit to be copied around the Internet? Even when it is only about 9KB and the one in Win2K SP3 is 33,552 bytes? Come on -- a rudimentary analysis of the situation without even seeing the file suggests that is not the case _here_. Then, when you look at the file that is being rcp-ed around, the first thing you notice is that it is UPX packed -- again, something MS is not renowned for doing to its core OS components but something commonly done to obfuscate malware from casual analysis... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new IIS worm? (rcp lsass.exe) Christian Mock (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Björn Wallentinus (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Lasse Sundström (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 23)
- <Possible follow-ups>
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
- Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Eloy A. Paris (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Mark Challender (Sep 24)
(Thread continues...)