[unisog] FWD: [SECURITY] bugbear variant

Douglas Brown dugbrown at email.unc.edu
Thu Jun 5 21:58:31 GMT 2003


We've been running Nmap scan for systems with 1080 open, once we got a 
list of systems we ran Amap against 1080 on the systems and the infected 
ones returned garbage - similar to the following:

ASCII: 
"+RW"\rx/kDV:d3x\r2Z;)EvbM\r\t3Rk&0XU9\ta!KY7\dH;\nM%3ojTl/\K_'[1k-gF0jzK7&yt)19&*a'N1ys&7yfEQ_MQ[DLXnHaF82E'rLp:jTf^ZGC4O%wsn:71556967"

we've found this was this quickest way to find all the bad guys -

Hope this helps,
-Doug
-- 
Douglas Brown, CISSP
Manager of Security Resources
UNC Chapel Hill
Abernethy 105
"what can Brown do for you?"

Phil.Rodrigues at uconn.edu wrote:
> (Apologies to anyone who already got this on the Educause list.)
> 
> We got hit with this today before Norton Antivirus came out with the 
> definitions.  Hopefully the defs will get updated automatically in the 
> next day or so, but we are prompting folks to manually update their defs 
> ASAP.  Our mail servers are protected with generic defs (looking for 
> dangerous attachments, etc) but we had to update one of them manually with 
> the exact def.
> 
> Infected hosts have a backdoor on 1080 (and maybe the range around that) 
> open.  It leaves behind a password stealer that Norton was unable to 
> remove with a scan, nor was it able to automatically quarantine the file. 
> As of now it looks like infected hosts should be formatted completely.
> 
> Good luck!
> 
> Phil
> 
> =======================================
> Philip A. Rodrigues
> Network Analyst, UITS
> University of Connecticut
> 
> email: phil.rodrigues at uconn.edu
> phone: 860.486.3743
> fax: 860.486.6580
> web: http://www.security.uconn.edu
> =======================================
> 
> ----- Forwarded by Phil Rodrigues/ITS/InformationServices/UConn on 
> 06/05/2003 05:25 PM -----
> 
> 
> "Bruhn, Mark S." <mbruhn at INDIANA.EDU>
> Sent by: The EDUCAUSE Security Discussion Group Listserv 
> <SECURITY at LISTSERV.EDUCAUSE.EDU>
> 06/05/2003 03:43 PM
> Please respond to The EDUCAUSE Security Discussion Group Listserv
> 
>  
>         To:     SECURITY at LISTSERV.EDUCAUSE.EDU
>         cc: 
>         Subject:        [SECURITY] bugbear variant
> 
> 
> I received a phone call a short while ago from DHS, indicating that a
> new variant of Bugbear was spreading, mostly among financial
> institutions.  That's all they told me.  We haven't received reports of
> infections here at IU yet.
> 
> But, information about it can be found at
> http://www.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html, or
> probably also at your favorite AV vendor site .
> 
> M.
> 

      	



More information about the unisog mailing list