[unisog] New exploit

Lois Lehman LOIS.LEHMAN at asu.edu
Tue Nov 11 19:27:34 GMT 2003


A quick search on the web shows that Network Associates is releasing a
DAT file for this worm tomorrow.  See this url for details on the worm:


http://vil.nai.com/vil/content/v_100810.htm


Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: Jon Mitchiner [mailto:jon.mitchiner at gallaudet.edu] 
Sent: Tuesday, November 11, 2003 11:09 AM
To: unisog at sans.org; Allison MacFarlan
Subject: Re: [unisog] New exploit

When you examined a computer did you use Sysinternal tools (TCPView and
Process Explorer) at http://www.sysinternals.com/ntw2k/utilities.shtml

Usually when a computer is exhibiting strange behavior one of those two
tools will help you identify unusual programs running.

The most common way that a computer is breached is either a) weak or
blank
passwords or b) machine was not kept up to date.

Jon
----- Original Message ----- 
From: "Allison MacFarlan" <allison.macfarlan at yale.edu>
To: <unisog at sans.org>
Sent: Tuesday, November 11, 2003 12:43 PM
Subject: [unisog] New exploit


> We are trying to identify something that is going on here, and wonder
if
you're
> seeing this at your campuses (all of them, not just one):
>
> -waves of spoofed addresses trying to get out to various IPs and IRC
locations
> (these get dropped, but they tie up the routers with traffic);
> -when a machine is examined, it has the executables characteristic of
> W32.Randex.Y,
> but the virus is not detected by NAV (no comments);
> -reports from all over that event logs are filling up with login
attempts,
both
> successes and failures, suggesting that a password cracker is also
part of
this
> package;
> -the machines that are examined are up-to-date with Windows patches
and
virus
> definitions, and the virus engine is working.
> -- 
> ++++---++++---++++---++++
> Allison S. MacFarlan
> allison.macfarlan at yale.edu
> ITS Information Security Officer, AM&T
> Yale University
> ph: 203-432-6684
> bp: 203-370-0554
> http://www.yale.edu/its/security
>



More information about the unisog mailing list