[Dshield] New virus?

Doug Goss dgoss at beca.co.nz
Sat Mar 8 00:41:13 GMT 2003


Danny
The PGP key you link to at  http://akasha.irt.drexel.edu/danny.asc
has a fingerprint of 26A5 26D5 B0B3 35A6 5D27  129A 7F25 FAFB 23BB 50E8 and
ID 0x23BB50E8
and is different from the key you signed this message with.  It has an ID
Signer Key ID:0xF4EDF1E0.

Interested in your sister network virus problem.  Any developments?

Doug Goss

-----Original Message-----
From: Danny [mailto:danny at eboundary.com]
Sent: Saturday, 8 March 2003 11:46 a.m.
To: 'General DShield Discussion List'
Subject: [Dshield] New virus?


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hey Guys,
	   We have been alerted to a virus outbreak by one of our sister
networks that appears to be new and undetected by Norton AV and is
mis-detected by McAfee. McAfee detects this virus as backdoor-jz but is
unable to clean the virus. Sorry I don't have a whole lot of details on
this yet but here is a list of the files running on infected systems. 

> 
> These are the virus processes that we've seen running:
> 
> cbnegs.exe
> Winlogon .exe
> sjhdyl.exe
> kbld.exe
> duckduck.exe
> explorer .exe
> ~xxxxx
> oocfwm.exe
> gwigsb.exe
> jkexnj.exe
> lknq.exe
> kjnj.exe

The virus appears to infect Windows hosts regardless of the OS version.
It appears to alter the start menu items of infected hosts and makes
them look garbled. At this time I don't know how this virus is spreading
but I will let you know if I find out, none of the hosts I have access
to are currently infected but it appears to be spreading through our
sister network pretty quickly.

Has anyone seen anything like this? Or recognize the signature maybe? 

Any info would be greatly appreciated.

Cheers
Danny
Network Security Engineer
Drexel University
PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0
PGP Key: http://akasha.irt.drexel.edu/danny.asc
 


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPmkhMGb1zPz07fHgEQKkRACgmhJYonexF1KxP1EhJntVE50qSzcAnj48
J5S3s1307iW40m4vON3ql8ui
=hT3W
-----END PGP SIGNATURE-----

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

NOTICE - This e-mail is only intended to be read by the named recipient.  It
may contain information which is confidential, proprietary or the subject of
legal privilege. If you are not the intended recipient please notify the
sender immediately and delete this e-mail. You may not use any information
contained in it.  Legal privilege is not waived because you have read this
e-mail.

For further information on the Beca Group of Companies, visit our web page
http://www.beca.co.nz



More information about the list mailing list