[Intrusions] Potential new malware discovered.
Klein, Jamy
Jamy.Klein at cshs.org
Tue Oct 4 18:39:30 GMT 2005
At my company today we found what appears to be a zero day virus. The virus
file appears as shupd64.exe. When executed the file does the following.
1. Moves itself to \windows\system32.
2. Adds registry entries to local machine and current user hives of the
registry in the Run, Runonce, RunServices keys.
3. Opens network connections on:
TCP ports 1037 and 10404
UDP ports 1026 and 1900
4. Tries to propagate via TCP 445.
This appears to be a variation of Zotob or new malware using the same
vulnerability as Zotob to enter. As of this writing, it has been reported to
the virus vendors, but no signature updates yet.
Jamy Klein
CISSP, GCFW, GSEC, RHCT, MCP
Security Specialist
Network Security Team - Enterprise Information Systems
Cedars-Sinai Medical Center
Phone: (310)423-2921
E-mail: jamy.klein at cshs.org
IMPORTANT WARNING: This message is intended for the use of the person or
entity to which it is addressed and may contain information that is
privileged and confidential, the disclosure of which is governed by
applicable law. If the reader of this message is not the intended
recipient, or the employee or agent responsible for delivering it to the
intended recipient, you are hereby notified that any dissemination,
distribution or copying of this information is STRICTLY PROHIBITED.
If you have received this message in error, please notify us immediately
by calling (310) 423-6428 and destroy the related message. Thank You for
your cooperation.
More information about the Intrusions
mailing list