New Virus?

Stephanie Hagopian shagopia at email.unc.edu
Wed Sep 10 17:42:45 GMT 2003


Our campus has seen a unique virus that displays the same symptoms as 
two viruses already in existence (Gaobot.AA and Sdbot.N) but this one 
doesn't show up in the latest virus definitions. Evidence has already 
been submitted to Symantec from our office for forensics.

Please let me know if anyone else has seen signs of this:

SYMPTOMS:

-heavy Netbios scanning, port 445 (mostly) but also 135 seen as well
-could be confused with Welchia:
The attackers may have used the same RPC vulnerability to infect the
victims.
- The victims connect to an IRC server and begin issuing DDOS commands 
using spoofed IPs.
-exploits weak or absent Admin passwords/shares
-floods network with spoofed IP packets (RFC1918 source IP addresses):
The worm attempts to spread to non-existent IP addresses in the same 
subnet. This causes a lot of network disruption.

On machine, look for:

1. C:\WINNT\System32 and delete
-scvhost.exe (rather than normal svchost.exe)
-winhlpp32.exe

2. Task Manager reveals scvhost.exe, stop process

3. Go to registery and look for the following keys:
HKEY-LOCAL_MACHINE--SOFTWARE--MICROSOFT-WINDOWS-CURRENTVERSION--RUN
HKEY-LOCAL_MACHINE--SOFTWARE--MICROSOFT-WINDOWS-CURRENTVERSION--RUNSERVICES

Look for "ConfigLoader---scvhost.exe" and delete both keys

4. all machines I saw were running Win2K and also were infected with 
Welchia or had Welchia a few weeks ago and had the worm recently cleaned 
off--thus why I think this exploits the same vulnerability as Welchia.

5. NO ADMIN OR WEAK ADMIN PASSWORDS

All the machines I've seen had the latest virus definitions and the 
latest hotfixes but were still found to have this.


-- 
Stephanie A. Hagopian
IT Security Analyst
University of North Carolina-Chapel Hill
105 Abernethy Hall

https://www.unc.edu/security/staff/shagopia



More information about the unisog mailing list