[Dshield] Possible virus/worm?

jayjwa jayjwa at atr2.ath.cx
Mon Oct 25 20:38:48 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sat, 23 Oct 2004, Ted August wrote:

+  Our network was
+ recently hit with a new worm/virus that has not been detected by
+ Symantec AV Corporate.
+ 
+ The symptoms are as follows:
+ 
+ 1.  Creates a file called "quiktime32.exe" (note the mis-spelling) in
+ c:\%systemroot%\system32.

Likely an IRC bot. That's the default target area for many varients. The 
filename, "quiktime32.exe", is settable in the source code. People tend to 
choose names with "32" in them, or names that are quite similar to real 
Windows system files. The idea is that the typical user won't notice one 
more file with a system or OS-sounding name in the Windows\System32 area. 
I'd bet this file is mysteriously referenced in 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ?


  2.  Creates a service called "QuickTime Player" that cannot be
+ disabled or stopped from the Computer Management Console.

...or services, is the other popular place to startup from.

+ 3.  Generates a ton of traffic on port 445.

This is a major replication vector for them.


+ One of our network admins believes that this is a new variant of
+ Sasser, but otherwise we have been unsuccessful in diagnosing the
+ problem.  It seems to have only hit mostly Windows 2000 computers on
+ our network.

The code may be NT-specific, and won't run on things 98 and under. If you 
can, watch and see what an infected machine does. Chech out if it tries to 
connect to someplace; get out the sniffers. If you can grab one of the 
binaries, you should be able to get a good idea about what its nature is.

+ If anyone else having the same problem, and could provide some
+ feedback as to what this is, it would be much appreciated.  We did
+ submit the file to Symantec but haven't heard back yet.

The reason that so many of these files are undetected is that the source 
code for this malware is widely circulated. The binary will look different 
depending on simple things such as level of optimization of the compiler, 
or which PE packer was used, which version, to more complex things like 
changing a couple of lines in the source here & there, or omitting/adding 
entire pieces altogether.
While they certainly aren't using any new or unheard of way to infect, 
they seem to be highly effective due to the fact that most average users 
still don't patch or update their machines, and this malware typically 
relies on this, exploiting sometimes up to one of 5-6 different 
vulnerabilities (or more) to gain access.
Obviously, this is just my stab at it, but from what you're saying it 
sounds like this is one possible explaination. As I've posted before, my 
ISP is awash with them, and I"ve saved logs and packets of their various 
activity as proof. Dshield also seems to be posting more on botnets in 
their handler's diaries this month as well.


- --- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBfWRfx2m6tbYouFERAp0wAJ902YJUkqGsyezSBnY0yVUQBmCYGACeNa0S
Q6sIFlFi6kck7aJK5FexzOE=
=PWrc
-----END PGP SIGNATURE-----



More information about the list mailing list