From: "Geo." 

"Hrvoje Mesing"  wrote in
message news:409bc299{at}w3.nls.net...

> We didnt understand each other.
> Ok, so, lsass is exploited on Logon sequence (port 445 - MS Networking) -
> not sure if the exploit can be triggered diffrent then logon/auth/lsass
> sequence because you can drop down to port 445, but lsass is not triggered
> till AUTH needed anytime. It opens 9996 to connect to 5554 ftpD and get
> *_up.exe, then build avserve*.exe and bind it to 5554 on that machine.
> But still, if you open *_up.exe youll get 9996 open and you can
"Shell"
> yourself directly in.
>
> This is by my last tests done before few days. I might be wrong tho :)

the way I understood it works is in two stages. Initial infection is via
445, it spawns the 9996 system shell, this is used to get stage two via ftp
from 5554 on the previously infected machine. Once the stage two is loaded
and the system reboots stage one is gone so no more 9996 as I understand it
anyway. Maybe different versions are different in this respect, I dunno.

Geo.

--- BBBS/NT v4.01 Flag-5