[unisog] New Virus?
sab139 at psu.edu
Fri Sep 12 18:55:38 GMT 2003
I encountered the same thing yesterday, with some minor differences.
The source IP was randomly selected from the range 127.0.0.0/8. The destination IP address was always a single computer in the 204.152.x.x network. And the destination port was either 22, 53, or between 1000 and 9999. This was most likely it's DOS mode.
Two ports were opened on the infected machine by scvhost.exe and the higher numbered port would return a large amount of binary data if you telneted to it. I didn't capture it for comparison, but suspect it may be for other computers to download the virus from.
There was a third file, which was identical in content to winh132.exe, named svchosl.exe. Neither of these were actually running.
All the files were submitted to Symantec and identified by them as W32.HLLW.Gaobot.AA and W32.HLLW.Gaobot.AE.
At 1:42 PM -0400 9/10/03, Stephanie Hagopian wrote:
>Our campus has seen a unique virus that displays the same symptoms as two viruses already in existence (Gaobot.AA and Sdbot.N) but this one doesn't show up in the latest virus definitions. Evidence has already been submitted to Symantec from our office for forensics.
>Please let me know if anyone else has seen signs of this:
>-heavy Netbios scanning, port 445 (mostly) but also 135 seen as well
>-could be confused with Welchia:
>The attackers may have used the same RPC vulnerability to infect the
>- The victims connect to an IRC server and begin issuing DDOS commands using spoofed IPs.
>-exploits weak or absent Admin passwords/shares
>-floods network with spoofed IP packets (RFC1918 source IP addresses):
>The worm attempts to spread to non-existent IP addresses in the same subnet. This causes a lot of network disruption.
Steven Bairstow http://www.personal.psu.edu/~sab139
Computer and Network Services - Sutherland Building
Penn State University - Abington College
"The machine is a marvelous simplifier... and may be the modern
emancipator of the creative mind." -- Frank Lloyd Wright
More information about the unisog