shagopia at email.unc.edu
Fri Sep 12 13:46:04 GMT 2003
I got a lot of helpful info when I posted the Gaobot.AB symptoms, so
here's another one! We're seeing one that I can't find matches for on
McAfee, TrendMicro and Norton sites that appeared last week sometime on
SYPTOMS: scanning netbios 445/tcp, port 17850 tcp open and attacking
other machines, opens up lots of IRC ports (randomly) to connect to
random IRC server outside of ntwk, attacks other machines with spoofed
usernames, attempts to log into machines to exploit weak or absent admin
passwords ("root, user, admin, etc")
- It seemes to come in through a webpage, because the initial installer
is found in a subdirectory of the c:\Document and Settings\Default
Users\Local Settings\Temp Internet Files\Content.IE5\. This file copies
to the c:\ root directory where it launches.
- in system32 folder:
fake directory named "\\v v\\s s\" (this folder name could be randomly
generated, so might not be consistent)
-bbb.exe is in the root directory
-tool.exe is a running process and also found in System32 directory
-The existence of the following key or similar key in the registery:
HK\Local System\Software\Microsoft\Windows\Current Version\Run:
"l4m32"="c:\\winnt\\system32\\v v\\s s\\tool.exe"
-The files in the '%windir%\system32\v v\s s\ may appear non existent
but when viewed from a cmd window focused on this directory, you run dir
/ah to find the files installed by the hacker. I think the only files
initial visible are tool.vsc and SHR.bat.
-The other thing noticed by one of our system admins is that this virus
will remove all net share names from the systems including the admin
shares ipc$, admin$, c$, etc...
Anyone seeing something similar?
Stephanie A. Hagopian
IT Security Analyst
University of North Carolina-Chapel Hill
105 Abernethy Hall
More information about the unisog