[unisog] [Intrusions] Winupdate2date.exe: New worm variant? ( The Answer)

Eric Peters epeters at pcthome.com
Wed Sep 22 17:02:44 GMT 2004 

I personally think it has to do with the story on /. And The Register about
a new spam E-mail circulating which has a 'Click here to remove' link which
launches to a site, (www.xcelent.biz) that site has on it a drag-drop
javascript exploit; so when the user scrolls the page, it downloads
windows-update32.exe (which I have open in a hex editor now). This only
affects the millions of unpatched windows computers and people who use IE
(internet exploder) There is a slew of other sites on that same server
according to Webhosting Info that also have that exploit, some with
windows-update.exe and others with windows-update32.exe

The windows-update32.exe also references a site earthlabs.biz trying to use
http get command to download ProxyBot? But that site has no DNS. More info
later when I get time to go through the exe.


host www.xcelent.biz
www.xcelent.biz has address 61.218.79.53
host 61.218.79.53
53.79.218.61.in-addr.arpa domain name pointer
61-218-79-53.HINET-IP.hinet.net

And people wonder why I want to firewall 60/7

Cheers,

Eric

-----Original Message-----
From: Anderson Johnston [mailto:andy at umbc.edu] 
Sent: Tuesday, September 21, 2004 2:00 PM
To: unisog at sans.org; intrusions at lists.sans.org
Subject: [unisog] [Intrusions] Winupdate2date.exe: New worm variant? (The
Answer)


Jim Supplee of the College of William and Mary pointed me to a posting at
www.cyberdefender.com.  It's a new worm and here's hoping the anti-virus
vendors get the new signatures out soon..


Thanks to all the respondents!

							- Andy


----------------------------------------------------------------------------
--
** Andy Johnston (andy at umbc.edu)          *
**
**                                        * PGP key:(afj2002) 4096/8448B056
**
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A
**
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56
**
----------------------------------------------------------------------------
--
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog

More information about the Intrusions mailing list