[Snort-sigs] New LSASS Worm?

Wiryanto Victor wiryanto.victor at ...2983...
Thu Feb 3 17:17:47 EST 2005


Hi,

Many thanks for your input, I think the worm has gotten many anti-virus
vendors' attentions.
McAfee has released another definitions update to handle this worm
(http://vil.nai.com/vil/content/v_131539.htm).

Thanks to all those who sent private messages to me, it has been great
enlightenment.

Cheers,

-----Original Message-----
From: James Riden [mailto:j.riden at ...1766...]
Sent: Friday, February 04, 2005 3:52 AM
To: Wiryanto Victor
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] New LSASS Worm?


"Wiryanto Victor" <wiryanto.victor at ...2983...> writes:

> Hello,
>
> I know this is slightly off-topic, but I am really desperate for a clue.
>
> For the past two days, I have been detecting heaps of traffic activities
> made to  66.250.45.20, 147.32.123.94, 147.83.113.190 and 152.7.64.152.
> This is happenning to some of my hosts (Windows 2000) which were not
patched
> up with MS04-011 vulnerabilities. These hosts, not only making connections
> to TCP port 5190 of these networks, but also trying to spread via TCP port
> 445 to other Windows 2000/XP machines on the network.
>
> I have tried everything I could do at these host, such as, installing
latest
> virus definition, and scanned them in safe mode, but the anti virus
(McAfee)
> is not able to detect any viruses nor worms. I end up manually re-route
all
> the traffic going to these network at the router's end.
>
> Is there anybody who's having the same problem as me? Any help or
> enlightment would be appreciated.

What's the traffic to 5190? Is it possible the machines are phoning
home via IRC channels? What happens if you do a snort lookup against
the IP address of your infected machines - are there any other alerts
from them? What about tagged packets?


To identify the malware, grab a machine - if you can't take one of the
existing ones, set up another box and try to get it infected. Then try
to find the binary which is causing the trouble and submit it to your
favourite AV vendor(s).

A good place to start looking is the auto-run keys in the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and \RunServices

I think HijackThis will tell you about stuff that auto-boots with the
machine. I found a bot variant this way, but the malicious code is
getting sneakier and better at hiding all the time.

Oh, and some AV scanners, such as ClamAV will try to detect generic
MS04-011 exploit code, so may possibly identify otherwise unknown
binaries as malicious.


If you just want to get up and running again, make a backup of *data
only* from these boxes, reinstall from scratch and put your data back
on. And make sure it's fully patched this time.

cheers,
 Jamie
--
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/







More information about the Snort-sigs mailing list