Another virus

Stephanie Hagopian shagopia at email.unc.edu
Fri Sep 12 13:46:04 GMT 2003


I got a lot of helpful info when I posted the Gaobot.AB symptoms, so 
here's another one! We're seeing one that I can't find matches for on 
McAfee, TrendMicro and Norton sites that appeared last week sometime on 
our network:

SYPTOMS: scanning netbios 445/tcp, port 17850 tcp open and attacking 
other machines, opens up lots of IRC ports (randomly) to connect to 
random IRC server outside of ntwk, attacks other machines with spoofed 
usernames, attempts to log into machines to exploit weak or absent admin 
passwords ("root, user, admin, etc")

- It seemes to come in through a webpage, because the initial installer 
is found in a subdirectory of the c:\Document and Settings\Default 
Users\Local Settings\Temp Internet Files\Content.IE5\. This file copies 
to the c:\ root directory where it launches.

- in system32 folder:
fake directory named "\\v v\\s s\" (this folder name could be randomly 
generated, so might not be consistent)
-bbb.exe is in the root directory
-tool.exe is a running process and also found in System32 directory

-The existence of the following key or similar key in the registery:

HK\Local System\Software\Microsoft\Windows\Current Version\Run:

     "l4m32"="c:\\winnt\\system32\\v v\\s s\\tool.exe"

-The files in the '%windir%\system32\v v\s s\ may appear non existent 
but when viewed from a cmd window focused on this directory, you run dir 
/ah to find the files installed by the hacker. I think the only files 
initial visible are tool.vsc and SHR.bat.

-The other thing noticed by one of our system admins is that this virus 
will remove all net share names from the systems including the admin 
shares ipc$, admin$, c$, etc...

Anyone seeing something similar?


-- 
Stephanie A. Hagopian
IT Security Analyst
University of North Carolina-Chapel Hill
105 Abernethy Hall

https://www.unc.edu/security/staff/shagopia



More information about the unisog mailing list