Next message: coopat_private: "Re: New worm? 'readme.eml'"
Okay, we've got some details from a quick glance at one of the infected
machines.
There's a directory:
\Program Files\Common Files\msadc
which has 4 files in it:
root.exe, TFTP129, TFTP68, TFTP192.
The last three look like they might be some sort of registry key.
Going to the machine's website and looking for http://>/msadc/TFTP68
should download the file.
-Larry
---
E. Larry Lidz Phone: (773)702-2208
Sr. Network Security Officer Fax: (773)702-0559
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30
: Tue Sep 18 2001 - 09:19:29 PDT