[unisog] Virus?

Ken Connelly Ken.Connelly at uni.edu
Tue Feb 17 19:25:39 GMT 2004


This is being called bagel.b by at least some of the AV folks.  Started 
showing up this morning.

- ken

Chris Stoermer wrote:

>Howdy!
>
>Maybe related, maybe not.  We definitely have a new worm.  Email subject is "ID: <.garbage> THanks!"  Attachement is <garbage>.exe
>
>Drops a sys32 exe called au.exe and sets it to start in HKLM\Sotware\Microsoft\Current Version\Run and HKCU\.....Run
>
>We have been cleaning up behind it, so we haven't done much of anything else in forensics.
>
>
>
>Chris Stoermer
>Computer Support Specialist V
>UNT--COBA Computing Center
>P.O. Box 311160
>Denton, Texas 76203-1160
>wrk# 940.369.8613
>fax#  940.369.8439
>email:stoermer at unt.edu
>
>  
>
>>>>"Jeff Nagel" <jnagel at wlc.edu> 02/16/04 12:26PM >>>
>>>>        
>>>>
>We've recently begun to see some machines with Blaster-like activity such as
>the RPC message and then the machines reboots itself.  Virus protection
>seems to get disabled and when you try to do LiveUpdate it closes.  Another
>symptom is when you try to go into the registry is closes on you.  The
>machines also are showing outbound traffic on port 135.
> 
>Any ideas?
> 
>Jeff Nagel, MCP
>Network Support Specialist
>Wisconsin Lutheran College
> 
>
>  
>

-- 
- Ken
===========================================================================
Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services
University of Northern Iowa                     Cedar Falls, IA  50614-0121
email: Ken.Connelly at uni.edu    phone: (319) 273-5850    fax: (319) 273-7373

It's much more important to know what you don't know than what you do know!






More information about the unisog mailing list