Full Disclosure mailing list archives
Re: Sasser skips 10.x.x.x Why?
From: Eric Chien <ecchien () yahoo com>
Date: Mon, 3 May 2004 12:44:31 -0700 (PDT)
Actually, it is all variants (.A - .D). And more specifically, it iterates through all the host IP addresses looking for an address that does not match: 127.0.0.1 10. 172.16 - 172.31 (inclusive) 192.168. 169.254 Then, using this address it creates a random address (sometimes changing all octets, sometimes just the last three, and sometimes just the last two). ...Eric --- Shawn Cox <shawn.cox () pcca com> wrote:
It appears that only .D skips private ranges. I incorrectly assumed that the original would do the same.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.D&VSect=T
--Shawn
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New LSASS-based worm finally here (Sasser) Ben Ryan (May 01)
- Re: New LSASS-based worm finally here (Sasser) Lee (May 01)
- Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 03)
- Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Thomas Springer (May 03)
- Unpacking Sasser youssef ALAOUI (May 03)
- RE: Sasser skips 10.x.x.x Why? Warnich Rust (May 03)
- Re: Sasser skips 10.x.x.x Why? Matt Wagenknecht (May 03)
- Re: Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
- Re: Sasser skips 10.x.x.x Why? Frank Knobbe (May 03)
- Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
- Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Rodrigo Barbosa (May 03)
- Re: Sasser skips 10.x.x.x Why? Joe Stewart (May 03)
- Re: Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 04)
- Re: Re: New LSASS-based worm finally here (Sasser) insecure (May 04)
- <Possible follow-ups>
- RE: New LSASS-based worm finally here (Sasser) Marc Maiffret (May 04)