[Dshield] Blaster, or AOL strangeness...

Doug White doug at clickdoug.com
Thu Oct 9 00:48:53 GMT 2003


www.symantec.com has a program called fixblaster.exe  available for free
download

You might download that program from a different computer and then save it to a
bootable floppy disk.

then run that against your home computer

======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
======================================
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "jamesmulick" <jamesmulick at columbus.rr.com>
To: "'General DShield Discussion List'" <list at dshield.org>
Sent: Wednesday, October 08, 2003 5:37 PM
Subject: Re: [Dshield] Blaster, or AOL strangeness...


| I am replying to this because I seem to have a problem with a machine I use
| at home.
|
| Two nights ago I opened an email from a trusted person from NIH in DC. A
| strange window opened asking for a user name and password. I clicked cancel
| a couple of times, it came up again and I did the same a few times. I
| printed the main body of the email, and noted it had an attachment. I
| deleted it. An internet Explorer window opened, apparently to a page from
| Microsoft, suggesting I download an upgrade for Outlook, which I did. Just
| before the Outlook upgrade window loaded another window opened briefly, a
| smaller one, that said something like, you seem to have been infected by the
| Blaster Worm. I dismissed this as strange. All this stuff is happening, but
| with growing unease, I respond more or less reflexively.
|
| Then my computer started to slow agonizingly. I rebooted, updated Norton AV,
| ran checks of the system, ran pest patrol, everything seems OK, but is
| slowing even more, with open programs becoming unresponsive to being closed.
| Then I think of Norton Cleansweep. I open it and note that was a program
| downloaded for the internet on that date, but I never did so intentionally.
| I use Norton to locate all parts and delete. A 250mb program is deleted and
| archived, identified as my Documents and Settings folder. Now I am scared. I
| check that folder, but it seems to be there and OK. I delete the archived
| folder. Computer is still slow.
|
| After reboots and new virus checks I open Eudora. I find my Inbox contents
| and all mail server info are deleted! I then Open Outlook, which uses other
| email accounts, and when I go to my inbox, emails highlighted begin deleting
| one at a time, slowly, about one per second. This seems very bas. I exit and
| use Zone Alarm to stop all internet traffic.
|
| Things stay this way until last night, when I look at resources used, and
| see that CPU use is at max even though not much is running and that Visual
| Zone is using about 250 megs of RAM. I shut down a few processes, including
| Visual Zone, and the computer runs at normal speed. Outlook still deleted
| inbox email one at a time, so I close it. Eudora, now reconfigured, works OK
| and nothing new is deleted. That's about where I am. Note that I am sketchy
| on what exactly happened with that strange email, and might have made errors
| in the sequence of subsequent events or skipped relevant events because I
| was not paying very close attention.
|
| What happened to me? Is there a fix shot of reformatting the HD and
| reinstalling everything. Are data files likely to reinfect if I put them
| back on a reformatted drive? Feel free to forward this message to anyone who
| might be interested or be able to help. THX.
|
| James A. Mulick, Ph.D.
| Professor, Pediatrics & Psychology
| The Ohio State University
| Columbus Children's Hospital
| 700 Children's Drive. CHPB-4
| Columbus, OH 43205-2696
| [No institutional endorsement of message content implied]
|
|
| -----Original Message-----
| From: list-bounces at dshield.org [<mailto:list-bounces at dshield.org>] On Behalf
| Of Jason Brooks
| Sent: Wednesday, October 08, 2003 8:15 AM
| To: General DShield Discussion List
| Subject: Re: [Dshield] Blaster, or AOL strangeness...
|
|
| John,
|          I would wonder if this is the case.  These are the ports infected
| machines <<listen>> on, yes?  Unless AOL has an entire class C infected,
| this doesn't appear to be the case, at least from what we've seen here.  My
| contact with an individual at AOL stated that there was no openings on port
| 4444 on the class C in question.
| Jason Brooks
| At 03:40 PM 10/7/2003 -0500, you wrote:
| >Good answers and I checked, there are many trojans that use 4444, here
| >is
| >a website that lists all ports trojans use, could help track what is going
| on.
| ><http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html>
| >Sans has a list but the one above has more info.
| ><http://www.sans.org/resources/idfaq/oddports.php>
| >
| >JB
| >
| >
| >>
| >>We have been seeing this for at least one month.  I have been in
| >>contact
| >>with someone via another list who works for AOL.  There is nothing valid
| >>on port 4444 in the entire 205.188.134.xxx class C.  We haven't yet done
| >>any heavy packet digging, but some preliminary looking shows that AOL IM
| >>makes some use of 4444 on the client side.  The Sr Net Engineer here has
| >>also see some port scans that match the pattern of hits we saw on
| >>4444.  The 4444 destination hits always occurred in patterns of 3 or
| >>4.  They would occur in clumps of 3 or 4, sometimes up to 4 times at
| >>once, generating  a total of 12 to 16 packets per client, on average.  We
| >>still don't know what is triggering this.  Anyone else...?
| >>
| >>Glad we're not the only ones...
| >>Jason Brooks
| >>
| >>
| >>At 03:31 PM 10/7/2003 -0400, you wrote:
| >>>Since applying filters to port 4444 (Blaster), some unusual entries
| >>>have
| >>>shown up.  Local machines are trying to connect to <host>.websys.aol.com
| >>>on port 4444.  What's up with this?
| >>>
| >>>Examples (munged to RFC1918 space):
| >>>>Oct  7 13:38:57.372 EDT: list dorm-in denied tcp 172.18.57.70(4011)
| >>>>->
| >>>>205.188.134.233(4444), 1 packet
| >>>>Oct  7 13:39:19.757 EDT: list dorm-in denied tcp 172.18.57.70(4013)
| >>>>->
| >>>>205.188.134.233(4444), 1 packet
| >>>>Oct  7 13:39:54.317 EDT: list dorm-in denied tcp 172.18.57.70(4018) ->
| >>>>205.188.134.233(4444), 1 packet
| >>>>Oct  7 13:40:17.038 EDT: list dorm-in denied tcp 172.18.57.70(4021) ->
| >>>>205.188.134.233(4444), 1 packet
| >>>>Oct  7 13:42:48.849 EDT: list dorm-in denied tcp 172.18.57.70(4011) ->
| >>>>205.188.134.233(4444), 2 packets
| >>>>Oct  7 13:43:03.833 EDT: list dorm-in denied tcp 172.18.57.70(4013) ->
| >>>>205.188.134.233(4444), 2 packets
| >>>>Oct  7 13:43:06.021 EDT: list dorm-in denied tcp 172.18.57.70(4018) ->
| >>>>205.188.134.233(4444), 2 packets
| >>>>Oct  7 13:43:10.833 EDT: list dorm-in denied tcp 172.18.57.70(4021) ->
| >>>>205.188.134.233(4444), 1 packet
| >>>>Oct  7 13:43:14.113 EDT: list dorm-in denied tcp 172.18.57.70(4022) ->
| >>>>205.188.134.233(4444), 1 packet
| >>>>Oct  7 13:54:13.978 EDT: list dorm-in denied tcp 172.18.121.247(1726)
| >>>>-> 205.188.134.237(4444), 1 packet
| >>>>Oct  7 13:54:34.911 EDT: list dorm-in denied tcp
| >>>>172.18.121.247(1727)
| >>>>-> 205.188.134.237(4444), 1 packet
| >>>>Oct  7 13:59:54.805 EDT: list dorm-in denied tcp
| >>>>172.18.121.247(1726)
| >>>>-> 205.188.134.237(4444), 2 packets
| >>>>Oct  7 14:15:54.324 EDT: list dorm-in denied tcp 172.18.33.71(3451)
| >>>>->
| >>>>205.188.134.234(4444), 1 packet
| >>>>Oct  7 14:16:19.768 EDT: list dorm-in denied tcp 172.18.33.71(3453)
| >>>>->
| >>>>205.188.134.234(4444), 1 packet
| >>>>Oct  7 14:20:54.913 EDT: list dorm-in denied tcp 172.18.33.71(3451) ->
| >>>>205.188.134.234(4444), 2 packets
| >>>>Oct  7 14:21:54.918 EDT: list dorm-in denied tcp 172.18.33.71(3453) ->
| >>>>205.188.134.234(4444), 2 packets
| >>>>Oct  7 15:10:55.944 EDT: list dorm-in denied tcp 172.18.17.116(50268)
| >>>>-> 205.188.134.234(4444), 1 packet
| >>>>Oct  7 15:12:10.793 EDT: list dorm-in denied tcp
| >>>>172.18.17.116(50269)
| >>>>-> 205.188.134.234(4444), 1 packet
| >>>>Oct  7 15:12:26.773 EDT: list dorm-in denied tcp
| >>>>172.18.17.116(50273)
| >>>>-> 205.188.134.234(4444), 1 packet
| >>>>Oct  7 15:16:55.195 EDT: list dorm-in denied tcp
| >>>>172.18.17.116(50268)
| >>>>-> 205.188.134.234(4444), 8 packets
| >>>>Oct  7 15:17:55.199 EDT: list dorm-in denied tcp
| >>>>172.18.17.116(50269)
| >>>>-> 205.188.134.234(4444), 4 packets
| >>>
| >>>>Oct  7 14:39:11.441 EDT: list stop-sql denied tcp 172.16.89.50(1134)
| >>>>->
| >>>>205.188.134.237(4444), 1 packet
| >>>>Oct  7 14:39:33.046 EDT: list stop-sql denied tcp 172.16.89.50(1136)
| >>>>->
| >>>>205.188.134.237(4444), 1 packet
| >>>>Oct  7 14:39:55.254 EDT: list stop-sql denied tcp 172.16.89.50(1141) ->
| >>>>205.188.134.235(4444), 1 packet
| >>>>Oct  7 14:45:12.234 EDT: list stop-sql denied tcp 172.16.89.50(1136) ->
| >>>>205.188.134.237(4444), 2 packets
| >>>
| >>>>[jeff at netsyslog jeff]$ host 205.188.134.233
| >>>>233.134.188.205.in-addr.arpa domain name pointer
| >>>>ht-s11.websys.aol.com. [jeff at netsyslog jeff]$ host 205.188.134.234
| >>>>234.134.188.205.in-addr.arpa domain name pointer
| >>>>ht-s12.websys.aol.com. [jeff at netsyslog jeff]$ host 205.188.134.235
| >>>>235.134.188.205.in-addr.arpa domain name pointer
| >>>>ht-s13.websys.aol.com. [jeff at netsyslog jeff]$ host 205.188.134.237
| >>>>237.134.188.205.in-addr.arpa domain name pointer
| >>>>ht-s15.websys.aol.com.
| >>>
| >>>Jeff
| >>>
| >>>
| >>>_______________________________________________
| >>>list mailing list
| >>>list at dshield.org
| >>>To change your subscription options (or unsubscribe), see:
| >>><http://www.dshield.org/mailman/listinfo/list>
| >>
| >>Jason Brooks
| >>Information Security Technician
| >>IITS
| >>116 - B Coyner
| >>Longwood University
| >>201 High Street
| >>Farmville, VA 23901
| >>(434) 395-2796
| >>
| >>_______________________________________________
| >>list mailing list
| >>list at dshield.org
| >>To change your subscription options (or unsubscribe), see:
| >><http://www.dshield.org/mailman/listinfo/list>
| >
| >_________________________________________________________________
| >Share your photos without swamping your Inbox.  Get Hotmail Extra
| >Storage
| >today! <http://join.msn.com/?PAGE=features/es>
| >
| >_______________________________________________
| >list mailing list
| >list at dshield.org
| >To change your subscription options (or unsubscribe), see:
| ><http://www.dshield.org/mailman/listinfo/list>
|
| Jason Brooks
| Information Security Technician
| IITS
| 116 - B Coyner
| Longwood University
| 201 High Street
| Farmville, VA 23901
| (434) 395-2796
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
| <http://www.dshield.org/mailman/listinfo/list>
|
|
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
|
|




More information about the list mailing list