[unisog] Virus?

Chris Stoermer stoermer at unt.edu
Tue Feb 17 15:55:13 GMT 2004


Maybe related, maybe not.  We definitely have a new worm.  Email subject is "ID: <.garbage> THanks!"  Attachement is <garbage>.exe

Drops a sys32 exe called au.exe and sets it to start in HKLM\Sotware\Microsoft\Current Version\Run and HKCU\.....Run

We have been cleaning up behind it, so we haven't done much of anything else in forensics.

Chris Stoermer
Computer Support Specialist V
UNT--COBA Computing Center
P.O. Box 311160
Denton, Texas 76203-1160
wrk# 940.369.8613
fax#  940.369.8439
email:stoermer at unt.edu

>>> "Jeff Nagel" <jnagel at wlc.edu> 02/16/04 12:26PM >>>
We've recently begun to see some machines with Blaster-like activity such as
the RPC message and then the machines reboots itself.  Virus protection
seems to get disabled and when you try to do LiveUpdate it closes.  Another
symptom is when you try to go into the registry is closes on you.  The
machines also are showing outbound traffic on port 135.
Any ideas?
Jeff Nagel, MCP
Network Support Specialist
Wisconsin Lutheran College

More information about the unisog mailing list