shagopia at email.unc.edu
Wed Sep 10 17:42:45 GMT 2003
Our campus has seen a unique virus that displays the same symptoms as
two viruses already in existence (Gaobot.AA and Sdbot.N) but this one
doesn't show up in the latest virus definitions. Evidence has already
been submitted to Symantec from our office for forensics.
Please let me know if anyone else has seen signs of this:
-heavy Netbios scanning, port 445 (mostly) but also 135 seen as well
-could be confused with Welchia:
The attackers may have used the same RPC vulnerability to infect the
- The victims connect to an IRC server and begin issuing DDOS commands
using spoofed IPs.
-exploits weak or absent Admin passwords/shares
-floods network with spoofed IP packets (RFC1918 source IP addresses):
The worm attempts to spread to non-existent IP addresses in the same
subnet. This causes a lot of network disruption.
On machine, look for:
1. C:\WINNT\System32 and delete
-scvhost.exe (rather than normal svchost.exe)
2. Task Manager reveals scvhost.exe, stop process
3. Go to registery and look for the following keys:
Look for "ConfigLoader---scvhost.exe" and delete both keys
4. all machines I saw were running Win2K and also were infected with
Welchia or had Welchia a few weeks ago and had the worm recently cleaned
off--thus why I think this exploits the same vulnerability as Welchia.
5. NO ADMIN OR WEAK ADMIN PASSWORDS
All the machines I've seen had the latest virus definitions and the
latest hotfixes but were still found to have this.
Stephanie A. Hagopian
IT Security Analyst
University of North Carolina-Chapel Hill
105 Abernethy Hall
More information about the unisog