[Dshield] Possible virus/worm?

Jason Brooks brooksje at longwood.edu
Mon Oct 25 12:37:16 GMT 2004


Sounds like a variant of SDBot/Gaobot/*bot.  We had several boxes with an
executable doing the same thing in the same place, but called
quicktimee.exe.  After submitting to McAfee, we received an extra DAT for
detection.  This one was detected as W32/SDBot.gen. 

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Ted August
Sent: Saturday, October 23, 2004 3:09 PM
To: list at lists.dshield.org
Subject: [Dshield] Possible virus/worm?

Hello everyone,

I am new to this list, but I have been google-ing all day and have not
been able to find anything to my answers so far.  Our network was
recently hit with a new worm/virus that has not been detected by
Symantec AV Corporate.

The symptoms are as follows:

1.  Creates a file called "quiktime32.exe" (note the mis-spelling) in
c:\%systemroot%\system32.
2.  Creates a service called "QuickTime Player" that cannot be
disabled or stopped from the Computer Management Console.
3.  Generates a ton of traffic on port 445.

One of our network admins believes that this is a new variant of
Sasser, but otherwise we have been unsuccessful in diagnosing the
problem.  It seems to have only hit mostly Windows 2000 computers on
our network.

If anyone else having the same problem, and could provide some
feedback as to what this is, it would be much appreciated.  We did
submit the file to Symantec but haven't heard back yet.

Thanks!

Ted August
_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list