[Dshield] New virus?

Danny danny at eboundary.com
Sat Mar 8 05:32:05 GMT 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It appears they where hit by a new variant of "MultiDropper" this
multidropper has self replicating code which tries to spread via IPC$
shares.

The McAfee Techs who went out there released an update a little while
ago.
The info can be found at the following URL.

http://vil.nai.com/vil/content/v_100124.htm

As for the PGP key, yeah I sent the email through my personal account
which is subscribed to the list, my work account isn't so the mail gets
dropped, oops :). The key for this email address is located at
http://www.eboundary.net/danny_at_eb.asc Sorry about the confusion guys.


Cheers
Danny

|->-----Original Message-----
|->From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
|->Behalf Of Doug Goss
|->Sent: Friday, March 07, 2003 7:41 PM
|->To: General DShield Discussion List
|->Subject: RE: [Dshield] New virus?
|->
|->Danny
|->The PGP key you link to at  http://akasha.irt.drexel.edu/danny.asc
|->has a fingerprint of 26A5 26D5 B0B3 35A6 5D27  129A 7F25 FAFB 23BB
50E8
|->and
|->ID 0x23BB50E8
|->and is different from the key you signed this message with.  It has
an ID
|->Signer Key ID:0xF4EDF1E0.
|->
|->Interested in your sister network virus problem.  Any developments?
|->
|->Doug Goss
|->
|->-----Original Message-----
|->From: Danny [mailto:danny at eboundary.com]
|->Sent: Saturday, 8 March 2003 11:46 a.m.
|->To: 'General DShield Discussion List'
|->Subject: [Dshield] New virus?
|->
|->
|->
|->*** PGP SIGNATURE VERIFICATION ***
|->*** Status:   Bad Signature
|->*** Alert:    Signature did not verify. Message has been altered.
|->*** Signer:   Daniel Hay <danny at drexel.edu> (0xF4EDF1E0)
|->*** Signed:   3/7/2003 5:46:08 PM
|->*** Verified: 3/8/2003 12:20:00 AM
|->*** BEGIN PGP VERIFIED MESSAGE ***
|->
|->
|->Hey Guys,
|->	   We have been alerted to a virus outbreak by one of our sister
|->networks that appears to be new and undetected by Norton AV and is
|->mis-detected by McAfee. McAfee detects this virus as backdoor-jz but
is
|->unable to clean the virus. Sorry I don't have a whole lot of details
on
|->this yet but here is a list of the files running on infected systems.
|->
|->>
|->> These are the virus processes that we've seen running:
|->>
|->> cbnegs.exe
|->> Winlogon .exe
|->> sjhdyl.exe
|->> kbld.exe
|->> duckduck.exe
|->> explorer .exe
|->> ~xxxxx
|->> oocfwm.exe
|->> gwigsb.exe
|->> jkexnj.exe
|->> lknq.exe
|->> kjnj.exe
|->
|->The virus appears to infect Windows hosts regardless of the OS
version.
|->It appears to alter the start menu items of infected hosts and makes
|->them look garbled. At this time I don't know how this virus is
spreading
|->but I will let you know if I find out, none of the hosts I have
access
|->to are currently infected but it appears to be spreading through our
|->sister network pretty quickly.
|->
|->Has anyone seen anything like this? Or recognize the signature maybe?
|->
|->Any info would be greatly appreciated.
|->
|->Cheers
|->Danny
|->Network Security Engineer
|->Drexel University
|->PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0
|->PGP Key: http://akasha.irt.drexel.edu/danny.asc
|->
|->
|->
|->
|->*** END PGP VERIFIED MESSAGE ***
|->
|->_______________________________________________
|->list mailing list
|->list at dshield.org
|->To change your subscription options (or unsubscribe), see:
|->http://www.dshield.org/mailman/listinfo/list
|->
|->NOTICE - This e-mail is only intended to be read by the named
recipient.
|->It
|->may contain information which is confidential, proprietary or the
subject
|->of
|->legal privilege. If you are not the intended recipient please notify
the
|->sender immediately and delete this e-mail. You may not use any
|->information
|->contained in it.  Legal privilege is not waived because you have read
|->this
|->e-mail.
|->
|->For further information on the Beca Group of Companies, visit our web
|->page
|->http://www.beca.co.nz
|->
|->_______________________________________________
|->list mailing list
|->list at dshield.org
|->To change your subscription options (or unsubscribe), see:
|->http://www.dshield.org/mailman/listinfo/list

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPmmAVH8l+vsju1DoEQIEjwCglvr2TITECN1eNtLb5v8Y13yAqIIAoOi5
MJKzpPgkzVGGgi0C9/MWaR6E
=+sKC
-----END PGP SIGNATURE-----



More information about the list mailing list