[unisog] Another virus

Anderson Johnston andy at umbc.edu
Fri Sep 12 17:47:40 GMT 2003


According to:

	http://www.evergreeninteractive.com/dloader/dlfaq.html

port 17850 is used by the main server program in the A/S 400 Report
Downloader.  The FAQ says that the port needs to remain open for proper
functioning.

There doens't seem to be much other use for that port.  Probably wouldn't
hurt most networks to block it along with 135,139,445,etc.

On Fri, 12 Sep 2003, Stephanie Hagopian wrote:

> I got a lot of helpful info when I posted the Gaobot.AB symptoms, so
> here's another one! We're seeing one that I can't find matches for on
> McAfee, TrendMicro and Norton sites that appeared last week sometime on
> our network:
>
> SYPTOMS: scanning netbios 445/tcp, port 17850 tcp open and attacking
> other machines, opens up lots of IRC ports (randomly) to connect to
> random IRC server outside of ntwk, attacks other machines with spoofed
> usernames, attempts to log into machines to exploit weak or absent admin
> passwords ("root, user, admin, etc")
>
> - It seemes to come in through a webpage, because the initial installer
> is found in a subdirectory of the c:\Document and Settings\Default
> Users\Local Settings\Temp Internet Files\Content.IE5\. This file copies
> to the c:\ root directory where it launches.
>
> - in system32 folder:
> fake directory named "\\v v\\s s\" (this folder name could be randomly
> generated, so might not be consistent)
> -bbb.exe is in the root directory
> -tool.exe is a running process and also found in System32 directory
>
> -The existence of the following key or similar key in the registery:
>
> HK\Local System\Software\Microsoft\Windows\Current Version\Run:
>
>      "l4m32"="c:\\winnt\\system32\\v v\\s s\\tool.exe"
>
> -The files in the '%windir%\system32\v v\s s\ may appear non existent
> but when viewed from a cmd window focused on this directory, you run dir
> /ah to find the files installed by the hacker. I think the only files
> initial visible are tool.vsc and SHR.bat.
>
> -The other thing noticed by one of our system admins is that this virus
> will remove all net share names from the systems including the admin
> shares ipc$, admin$, c$, etc...
>
> Anyone seeing something similar?
>
>
> --
> Stephanie A. Hagopian
> IT Security Analyst
> University of North Carolina-Chapel Hill
> 105 Abernethy Hall
>
> https://www.unc.edu/security/staff/shagopia
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list