research the vector. close the door.         

    vectorblog  about  contact

 

 

 

 

 

 

 

 


 AUGUST 2004 VECTORBLOG

August 26, 2004

LSASS again.

Scane hit the streets today, another worm that exploits the LSASS buffer overflow exploit patched by MS04-011 (835732). That KB number just rolls off the tongue now doesn’t it? Distribution appears to be light.

 

August 20, 2004

64K.

A new proof of concept virus from author roy g biv is out and named Shruggle.1318. This code is for the AMD 64-bt chips (a companion to the Itanium version released in May called Rugrat.3344) and written in the AMD 64 assembler.

 

August 19, 2004

Macro drop.

Since the publication of the “Macro Rebound” report a few new variants have appeared. Notably, Ainesey.C was discovered recently. This MS Excel macro drops a Trojan onto the infected host as well as a copy of the original Ainesey. Check out Symantec’s report on this guy: http://www.symantec.com/avcenter/venc/data/x97m.ainesey.c.html

 

August 16, 2004

New mail.

A new mass mailer has gotten some attention over the last few days. Going by the name Neveg or Nevag, this mailer has a very Beagle/MyDoom-like set of qualities: it spreads via fileshares as well as its own SMTP engine, uses short/general attachment names, avoids certain email addresses, and attempts to DoS a few sites. It also carries a virtually identical set of names for its file share copies as Beagle:

 

ACDSee 9.exe

Adobe Photoshop 9 full.exe

Ahead Nero 7.exe

Kaspersky Antivirus 5.0.exe

KAV 5.0.exe

Matrix 3 Revolution English Subtitles.exe

Microsoft Office 2003 Crack, Working!.exe

Microsoft Office XP working Crack, Keygen.exe

Microsoft Windows XP, WinXP Crack, working Keygen.exe

Opera 8 New!.exe

Porno pics arhive, xxx.exe

Porno Screensaver.scr

Porno, sex, oral, anal cool, awesome!!.exe

Serials.txt.exe

WinAmp 5 Pro Keygen Crack Update.exe

WinAmp 6 New!.exe

Windown Longhorn Beta Leak.exe

Windows Sourcecode update.doc.exe

XXX hardcore images.exe

 

August 12, 2004

Experience.

The XP SP2 has been out for a few days. Politics and religion aside, it is a step in the right direction from Microsoft, and certainly has the potential to curtail the worm activity on the Internet today (see Aug 11 entry). Check out the Microsoft resources at:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx

 

August 11, 2004

Anniversary.

Still unpatched with MS03-026, 039, or 04-012? Are you tired of seeing these yet?

90 90 90 00 5C 00 43 00 24 00 5C 00 31 00 32 00    ....\.C.$.\.1.2.

33 00 34 00 35 00 36 00 31 00 31 00 31 00 31 00    3.4.5.6.1.1.1.1.

31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00    1.1.1.1.1.1.1.1.

31 00 31 00 31 00 2E 00 64 00 6F 00 63 00 00 00    1.1.1...d.o.c...

01 10 08 00 CC CC CC CC 20 00 00 00 30 00 2D 00    ........ ...0.-.

00 00 00 00 88 2A 0C 00 02 00 00 00 01 00 00 00    .....*..........

28 8C 0C 00 01 00 00 00 07 00 00 00 00 00 00 00    (...............

Still showing up in the honeypots, which is no surprise I guess. Blaster and Blaster style variants still flood the Internet, one year later.

 

August 9, 2004

Beagle.AO

A new variant of the Beagle worm has surfaced today, apparently with a very high seeding level. The new version (AO – Symantec) is crushing mail servers around the world and will be added to the upcoming Part 2 of the Beagle History report.

 

MyDoom.P also hit the scene today. This worm has also been reported from a number of sources, possibly signaling a high seed rate for this one as well.

 

August 7, 2004

Love.

Lovgate is making the rounds with version AN. Remember that this worm has a history of incorporating true virus qualities: a parasitic infection of EXEs on the compromised host, meaning that hundreds or thousands of files could turn up as infected when an AV scanner runs.

 

 

Copyright Ó 2004 infectionvectors.com. All rights reserved.