[Dshield] Possible virus/worm?
jayjwa at atr2.ath.cx
Mon Oct 25 20:38:48 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 23 Oct 2004, Ted August wrote:
+ Our network was
+ recently hit with a new worm/virus that has not been detected by
+ Symantec AV Corporate.
+ The symptoms are as follows:
+ 1. Creates a file called "quiktime32.exe" (note the mis-spelling) in
Likely an IRC bot. That's the default target area for many varients. The
filename, "quiktime32.exe", is settable in the source code. People tend to
choose names with "32" in them, or names that are quite similar to real
Windows system files. The idea is that the typical user won't notice one
more file with a system or OS-sounding name in the Windows\System32 area.
I'd bet this file is mysteriously referenced in
2. Creates a service called "QuickTime Player" that cannot be
+ disabled or stopped from the Computer Management Console.
...or services, is the other popular place to startup from.
+ 3. Generates a ton of traffic on port 445.
This is a major replication vector for them.
+ One of our network admins believes that this is a new variant of
+ Sasser, but otherwise we have been unsuccessful in diagnosing the
+ problem. It seems to have only hit mostly Windows 2000 computers on
+ our network.
The code may be NT-specific, and won't run on things 98 and under. If you
can, watch and see what an infected machine does. Chech out if it tries to
connect to someplace; get out the sniffers. If you can grab one of the
binaries, you should be able to get a good idea about what its nature is.
+ If anyone else having the same problem, and could provide some
+ feedback as to what this is, it would be much appreciated. We did
+ submit the file to Symantec but haven't heard back yet.
The reason that so many of these files are undetected is that the source
code for this malware is widely circulated. The binary will look different
depending on simple things such as level of optimization of the compiler,
or which PE packer was used, which version, to more complex things like
changing a couple of lines in the source here & there, or omitting/adding
entire pieces altogether.
While they certainly aren't using any new or unheard of way to infect,
they seem to be highly effective due to the fact that most average users
still don't patch or update their machines, and this malware typically
relies on this, exploiting sometimes up to one of 5-6 different
vulnerabilities (or more) to gain access.
Obviously, this is just my stab at it, but from what you're saying it
sounds like this is one possible explaination. As I've posted before, my
ISP is awash with them, and I"ve saved logs and packets of their various
activity as proof. Dshield also seems to be posting more on botnets in
their handler's diaries this month as well.
- --- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the list