copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Update » AU-2004.009 -- AusCERT Update - Worm activity agains...
 

AU-2004.009 -- AusCERT Update - Worm activity against Microsoft MS04-011 LSASS vulnerability
Date: 29 April 2004
References:

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AusCERT Update AU-2004.009 - Worm activity against Microsoft MS04-011
LSASS vulnerability
29 April 2004

AusCERT has learned that a new variant of PhatBot/Agobot/Gaobot is
attacking unpatched Microsoft Windows 2000 and XP hosts, exploiting the
vulnerability in the Microsoft Local Security Authority Subsystem Service
(LSASS), described in Microsoft Security Bulletin MS04-011.

Exploit code has already been published for this vulnerability,
which can result in the execution of arbitrary code with SYSTEM level
privileges and lead to complete compromise of an affected system.

The original AusCERT security bulletin details are:

  ESB-2004.0266 -- Microsoft Security Bulletin MS04-011 -- Security Update
  for Microsoft Windows (835732)
  http://www.auscert.org.au/4006

An increased threat now exists for sites that have not yet applied patches
or implemented mitigation strategies. AusCERT recommends that sites deploy
these patches and/or follow the mitigation information in Microsoft
Security Bulletin MS04-011:

  http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The exploit code is available from:

  http://www.k-otik.com/exploits/04252004.ms04011lsass.c.php

Additional details may be obtained from:

  http://isc.sans.org/diary.php?date=2004-04-27
  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0533

AusCERT will continue to monitor this vulnerability and any changes in
exploit activity. AusCERT members will be updated as information becomes
available. This update does not supercede the previous AU-2004.008, which
described the exploit for IIS.
Regards,

The AusCERT Team

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQJCdhyh9+71yA2DNAQItxQP+MKuVoS/6pYmu6GWP/RK3T8LcBGG08jg5
N6lxDVZAFFnHyuuoNfpfBJgOhngkRhQVMA1vZcHLXdRtcPLZefDSoGtH18uaYJtM
rsNSTWntFaScoad6oaIbq6qSdhzb/xmqFUP48flSPuTQ7ZHsVnz5w30el4WcpKlF
CCMI0t0/Vrg=
=X0e9
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1979&it=4063