[ RE: [unisog] Worm outbreak at UMass and Yale with similar characteristics]

Dan Jones dan.jones at colorado.edu
Thu Apr 8 20:48:58 GMT 2004

FYI, We have noticed that a Gaobot/Agobot variant has started to scan on 
tcp/5000.  We think this may is likely utilizing an old uPnP (MS01-059) 
exploit from April of 2002.


Dan Jones
Campus IT Security Coordinator - ITS
University of Colorado
303.735.6637 Phone

>-----Original Message-----
>From: Allison MacFarlan [mailto:allison.macfarlan at yale.edu]
>Sent: Monday, April 05, 2004 7:53 AM
>To: unisog at sans.org
>Cc: itsiso.staff at yale.edu; information.security at med.yale.edu
>Subject: [unisog] Worm outbreak at UMass and Yale with similar
>This weekend both institutions experienced an outbreak of a Gaobot variant
>that went undetected by antivirus engines and affected fully-patched
>machines. In both cases (but for different levels of account privileges),
>the vector was a compromised account. There were slight variations in the
>worm's effects, detailed below:
>UMass notes (David Korpiewski):
>Date: Mon, 05 Apr 2004 09:15:44 -0400
>From: David Korpiewski <davidk at cs.umass.edu>
>To: windows-hied at lists.Stanford.EDU
>This is just FYI, but the UMASS network has been getting hammered by a
>new worm that can get into a fully patched W2k system.   Here are the
>"We've just encountered MSDTC32.EXE in both Hardware and Software Support.
>I examined a Win2k box with SP4 and the most recent patches.
>There were startup hooks in:
>File locations were:
>McAfee 7.1 with virus defs 4346 detected w32/Polybot.l!hosts almost
>immediately after each reboot until these were removed.
>The infected file was:
>MSDTC32.EXE was listening on two different ports on this machine (they were
>different after each reboot).  Connecting (telnet localhost
><port>) to the lesser of the two ports, I always received a "Bot Server"
>message.  The response to a carriage return (whether data was entered or
>type) responded with "Bye."  Connecting to the greater of the ports, I
>received a flood of binary data.
>Upon initial infection, there was a new folder created (C:\mirc) which
>contained none other than mirc.
>Yale notes (Bradley Gano):
>1. The worm copies and executes itself as %Systemroot%\msdtc32.exe.
>The binary uses ports TCP7001, TCP7729, UDP123, or UDP137 as a backdoor.
>2. It installs a value called "Video Process Loader" to the following
>registry keys:
>3. The worm ends any antivirus or firewall software. and attempts to kill
>processes associated with other worms. It will interfere with the Task
>4. It appends the lines in item #5 of the Gaobot.UM worm to the system's
>host file http://www.symantec.com/avcenter/venc/data/w32.gaobot.um.html
>(all loopback entries) and
>5. connects to an IRC channel, where it may send or download system
>information, connect to other systems, set up a socks proxy server.
>It will attempt to spread to other computers on the network, and may
>transmit codes, passwords and system information to the IRC channel.
>What we saw in sniffing the CLS network was that there was lots of scanning
>traffic at the 80, 1080 (socks) and 3128 ports. Infected machines also seem
>to have arbitrary high ports listening as backdoors.
>These are Brad's instructions for cleaning the worm off the system:
>Steps for cleaning the MSDTC32 worm (must be done with local admin
>1. Unplug Ethernet cable.
>2. Boot to safe mode (by hitting F8 a bunch of times when the computer
>starts up-if you miss it restart and try again) 3. Log in as local
>administrator (make sure it comes up in safe
>4. Disable system restore (system control panel - system restore tab, check
>the box to disable and say OK and Yes) - This is on XP ONLY 5. Put back
>hosts file the way it belongs a. From cmd prompt, type: notepad
>b. Edit out all the entries except the one for
>         localhost  (the comments at the top can stay) c. Save changes and
>quit notepad 6. Delete references to MSDTC32.EXE in Registry a. Run regedit
>b. Go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
>c. Delete the entry for "Video Device Loader" (data is MSDTC32.EXE) d.
>Repeat for \RunServices e. Do a Find for other instances of MSDTC32.EXE in
>the Registry and delete any that exist (start from the top of the tree by
>clicking on My Computer at the top, then CTRL+F) 7. Search all local hard
>drives for any copies of MSDTC32.EXE and delete them all a. E.g. use
>Start/Search/For Files or Folders (scan all local drives, not just C) b.
>There will probably be at least a couple instances of it (in %systemroot%
>and %systemroot%\system32, probably in a prefetch folder, too) 8. Look for
>zero-byte file called %systemroot%\testfile and delete it 9. Empty recycle
>10. Run Intelligent Updater off CD
>11. Change local admin account name and password (optional-depends what
>sysadmin says for that machine) 12. Plug in Ethernet cable 13. Reboot into
>regular mode (un-safe mode? "dangerous" mode?)
>Log in as any local admin (staff users can do this themselves if they are
>local admins):
>1. Run NAV to make sure virus definition file has the date you expected it
>to have following Intelligent Updater.
>2. Check to make sure Automatic Updates is set to download and install
>updates automatically. (On system control panel in Win XP) 3. Run Windows
>Update to make sure the machine is up to date on critical updates.
>4. Run a full NAV scan to make sure it doesn't find anything.
>5. OPTIONAL: Turn system restore back on (depends on what the machine's
>admin says to do)
>Note: %systemroot% means c:\windows on XP and c:\winnt on 2k. You can type
>either the variable or the folder name above.
>Allison S. MacFarlan
>Information Security Officer
>Academic Media and Technology
>Yale University
>ph: 203-432-6684
>bp: 203-370-0554

More information about the unisog mailing list