[unisog] Worm outbreak at UMass and Yale with similar characteristics

Pete Hickey pete at shadows.uottawa.ca
Fri Apr 9 23:46:59 GMT 2004


On Wed, Apr 07, 2004 at 01:55:17PM -0400, STeve Andre' wrote:
>    Is the statement that a fully patches W2K system can get this, true?
> 
>    If so, how do machines become infected?  Any good URL's to pass
> on for this one?

Guessing weak passwords.   One of the first things it does is turn off
virus protection too.  Fully patched systems are vulnerable.

users must be reminded that, after cleaning the machine, they
must also change their password, otherwise they will get re-infected.

Another thing it is doing, is if you have servers with 'intruder lockout'
IE freezes an account after multiple unsuccessrul logon attempts,
you'll get locked out as infected machines attempt to log onto your
server.

We're currently fighting at least 6 varients.


> On Monday 05 April 2004 09:52 am, Allison MacFarlan wrote:
> > This weekend both institutions experienced an outbreak of a Gaobot
> > variant
> > that went undetected by antivirus engines and affected fully-patched
> > machines. In both cases (but for different levels of account
> > privileges),
> > the vector was a compromised account. There were slight variations in
> > the worm's effects, detailed below:
> >
> > UMass notes (David Korpiewski):
> >
> > Date: Mon, 05 Apr 2004 09:15:44 -0400
> > From: David Korpiewski <davidk at cs.umass.edu>
> > To: windows-hied at lists.Stanford.EDU
> >
> > This is just FYI, but the UMASS network has been getting hammered by a
> > new worm that can get into a fully patched W2k system.   Here are the
> > details:
> >
> >
> > "We've just encountered MSDTC32.EXE in both Hardware and Software
> > Support.  I examined a Win2k box with SP4 and the most recent patches.
> >
> > There were startup hooks in:
> > HKLM\Software\Microsoft\Windows\CurrentVersion\Run
> > HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
> >
> > File locations were:
> > C:\WINNT
> > C:\WINNT\SYSTEM32
> >
> > McAfee 7.1 with virus defs 4346 detected w32/Polybot.l!hosts almost
> > immediately after each reboot until these were removed.
> >
> > The infected file was:
> > C:\WINNT\System32\Drivers\etc\hosts
> >
> > MSDTC32.EXE was listening on two different ports on this machine (they
> > were different after each reboot).  Connecting (telnet localhost
> > <port>) to the lesser of the two ports, I always received a "Bot
> > Server" message.  The response to a carriage return (whether data was
> > entered or type) responded with "Bye."  Connecting to the greater of
> > the ports, I received a flood of binary data.
> >
> > Upon initial infection, there was a new folder created (C:\mirc) which
> > contained none other than mirc.
> >
> > Yale notes (Bradley Gano):
> >
> > 1. The worm copies and executes itself as %Systemroot%\msdtc32.exe.
> > The binary uses ports TCP7001, TCP7729, UDP123, or UDP137 as a
> > backdoor.
> > 2. It installs a value called "Video Process Loader" to the
> > following registry keys:
> > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServ
> > ices
> > 3. The worm ends any antivirus or firewall software. and attempts to
> > kill processes associated with other worms. It will interfere with
> > the Task Manager.
> > 4. It appends the lines in item #5 of the Gaobot.UM worm to the
> > system's host file
> > http://www.symantec.com/avcenter/venc/data/w32.gaobot.um.html
> > (all loopback entries) and
> > 5. connects to an IRC channel, where it may send or download system
> > information, connect to other systems, set up a socks proxy server.
> > It will attempt to spread to other computers on the network, and may
> > transmit codes, passwords and system information to the IRC channel.
> >
> > What we saw in sniffing the CLS network was that there was lots of
> > scanning traffic at the 80, 1080 (socks) and 3128 ports. Infected
> > machines also seem to have arbitrary high ports listening as
> > backdoors.
> >
> > These are Brad's instructions for cleaning the worm off the system:
> > Steps for cleaning the MSDTC32 worm (must be done with local admin
> > account):
> >
> > 1. Unplug Ethernet cable.
> > 2. Boot to safe mode (by hitting F8 a bunch of times when the
> > computer starts up—if you miss it restart and try again)
> > 3. Log in as local administrator (make sure it comes up in safe
> > mode)
> > 4. Disable system restore (system control panel – system restore
> > tab, check the box to disable and say OK and Yes) – This is on XP
> > ONLY
> > 5. Put back hosts file the way it belongs
> > a. From cmd prompt, type: notepad
> > %systemroot%\system32\drivers\etc\hosts
> > b. Edit out all the entries except the one for 127.0.0.1
> > 	localhost  (the comments at the top can stay)
> > c. Save changes and quit notepad
> > 6. Delete references to MSDTC32.EXE in Registry
> > a. Run regedit
> > b. Go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run
> > c. Delete the entry for “Video Device Loader” (data is MSDTC32.EXE)
> > d. Repeat for \RunServices
> > e. Do a Find for other instances of MSDTC32.EXE in the Registry and
> > delete any that exist (start from the top of the tree by clicking on
> > My Computer at the top, then CTRL+F)
> > 7. Search all local hard drives for any copies of MSDTC32.EXE and
> > delete them all
> > a. E.g. use Start/Search/For Files or Folders (scan all local
> > drives, not just C)
> > b. There will probably be at least a couple instances of it (in
> > %systemroot% and %systemroot%\system32, probably in a prefetch
> > folder, too)
> > 8. Look for a zero-byte file called %systemroot%\testfile and delete
> > it
> > 9. Empty recycle bin.
> > 10. Run Intelligent Updater off CD
> > 11. Change local admin account name and password (optional—depends
> > what sysadmin says for that machine)
> > 12. Plug in Ethernet cable
> > 13. Reboot into regular mode (un-safe mode? “dangerous” mode?)
> >
> > Log in as any local admin (staff users can do this themselves if
> > they are local admins):
> >
> > 1. Run NAV to make sure virus definition file has the date you
> > expected it to have following Intelligent Updater.
> > 2. Check to make sure Automatic Updates is set to download and
> > install updates automatically. (On system control panel in Win XP)
> > 3. Run Windows Update to make sure the machine is up to date on
> > critical updates.
> > 4. Run a full NAV scan to make sure it doesn’t find anything.
> > 5. OPTIONAL: Turn system restore back on (depends on what the
> > machine’s admin says to do)
> >
> > Note: %systemroot% means c:\windows on XP and c:\winnt on 2k. You
> > can type either the variable or the folder name above.
> >
> > +++++++++++++++++-+--+---+----+--
> > Allison S. MacFarlan
> > Information Security Officer
> > Academic Media and Technology
> > Yale University
> > ph: 203-432-6684
> > bp: 203-370-0554

-- 
Pete Hickey                                       /~\  The ASCII
The University of Ottawa                          \ /  Ribbon Campaign
Ottawa, Ontario                                    X   Against HTML
Canada                                            / \  Email!



More information about the unisog mailing list