[Dshield] Anyone seen

Daugherty Bryan daugherty at uamont.edu
Thu Feb 26 21:39:17 GMT 2004


We do run some Dameware and have been seeing clients mysteriously crash.

Here's what I found:

HKEY LOCAL MACHINE\system\controlset002\services\soundman\imagepath
"c:\windows\system32\sndman.exe" -service

HKEY LOCAL MACHINE\system\controlset004\services\soundman\imagepath
"c:\windows\system32\sndman.exe" -service

HKEY LOCAL MACHINE\system\currentcontrolset\services\soundman\imagepath
"c:\windows\system32\sndman.exe" -service

Plus I found the following file in C:\windows\prefetch;

Sndman.exe.pf

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf Of
Corinne Cook
Sent: Thursday, February 26, 2004 12:06 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Anyone seen

Ahh...that all sounds far more suspicious then.  There is likely more than
just the sndman.exe file to look for, too.

Gaobot can open an IRC channel so that could be something to do with the
port 6129 (6129 is also associated with Dameware, I believe, which recently
had a large exploit discovered.  You don't run Dameware, do you?).

I don't see anything about Gaobot spreading via infected office docs so that
may not be the source, but it is still worth patching those to avoid docs
with infected macros and the like (remember infected Word/Excel docs can
come in on CD's, Floppies, ftp, network shares, and not just email).  

Is anything odd found on those computers' registries, particularly in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices?

I'd be interested to hear the final results of this.  Keep me posted.

Thanks,

Corinne

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Daugherty Bryan
Sent: Thursday, February 26, 2004 8:19 AM
To: General DShield Discussion List
Subject: RE: [Dshield] Anyone seen


Initially I thought it was related to sound apps or the sound card.
However, it only resides on 20 or 25 of my XP pc's.  Incidentally, these
pc's all reside on the same subnet.  My other subnets have not been
impacted.  When I remove the file all of my sound devices are still intact.

I believe you are correct about SUS.  To my knowledge it only pushes OS
updates.  From what I can tell all the systems infected contain the
sndman.exe file with a creation date of February 12th or 13th.  There is no
doubt that the OS on the pc's in question were updated at that time.
However, this does not include the Office updates.

Does anyone know of a worm that exploits Office??

It's funny to me that as soon as I remove this file from the pc's the ARP
Broadcast stop (from the IP of the pc), over 200 flows of traffic through
Packeteer (from the ip of the pc) destined for random ip's, using a mix of
ports 135, 445 and 6129 all stops.  Also, I have used aports.exe to examine
open ports on the pc's it reveals the same thing.  If it's not a bug I would
like to know what software or misconfiguration displays this behavior.  

One group has already examined the file and has identified it as
Win32.GAOBOT.HJ.  My virus company is currently examining the file.


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Corinne Cook
Sent: Wednesday, February 25, 2004 4:07 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Anyone seen

The only things I could dig up on Sndman.exe is that it is possibly
something related to sound apps or the sound card on the computer, so it may
not be anything to worry about, but I've never had that service on any of my
computers so I can't say for certain.

One other item of note.  I don't believe SUS pushes out MS Office patches
and service packs, and there are several patches/SP's for all versions of
Office available.  Do you run any versions of Word, Excel, Outlook, etc. in
your environment?  They are another possible area of attack from infected
documents, etc.  There's also always the possibility that something was
exploited before it was patched and that it is a custom job or something not
detected by AV.

Although, I'm not really convinced that there is actually an exploit going
on here without more data and proof.  It could be traffic due to equipment
(hubs) or even something misconfigured somewhere; I'd say there are at least
a couple of possibilities that aren't necessarily the result of infection or
intrusion.  I'd say do more investigation into the services, search for
suspicious open ports on the machines and use a sniffer to see if there's
any suspicious traffic that might point towards something more definite.  

-Corinne Cook



-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Daugherty Bryan
Sent: Wednesday, February 25, 2004 1:01 PM
To: General DShield Discussion List
Subject: RE: [Dshield] Anyone seen


I checked each pc in question and they were in fact up to date.  I have been
successful in using SUS to push SPs and critical updates.  My AV console
allows me to manually push AV def's to those few pc's that might miss an
auto update.  I check for OS updates and AV updates several times a day.

I do see some similarities to Gaobot.  However, I would like to think my
virus engine would detect this by now.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list