Ken.Connelly at uni.edu
Tue Feb 17 19:25:39 GMT 2004
This is being called bagel.b by at least some of the AV folks. Started
showing up this morning.
Chris Stoermer wrote:
>Maybe related, maybe not. We definitely have a new worm. Email subject is "ID: <.garbage> THanks!" Attachement is <garbage>.exe
>Drops a sys32 exe called au.exe and sets it to start in HKLM\Sotware\Microsoft\Current Version\Run and HKCU\.....Run
>We have been cleaning up behind it, so we haven't done much of anything else in forensics.
>Computer Support Specialist V
>UNT--COBA Computing Center
>P.O. Box 311160
>Denton, Texas 76203-1160
>email:stoermer at unt.edu
>>>>"Jeff Nagel" <jnagel at wlc.edu> 02/16/04 12:26PM >>>
>We've recently begun to see some machines with Blaster-like activity such as
>the RPC message and then the machines reboots itself. Virus protection
>seems to get disabled and when you try to do LiveUpdate it closes. Another
>symptom is when you try to go into the registry is closes on you. The
>machines also are showing outbound traffic on port 135.
>Jeff Nagel, MCP
>Network Support Specialist
>Wisconsin Lutheran College
Ken Connelly (KC152) Systems and Operations Manager, ITS - Network Services
University of Northern Iowa Cedar Falls, IA 50614-0121
email: Ken.Connelly at uni.edu phone: (319) 273-5850 fax: (319) 273-7373
It's much more important to know what you don't know than what you do know!
More information about the unisog