[unisog] Virus?

Jeff Nagel jjnagel at wi.rr.com
Tue Feb 17 21:14:51 GMT 2004


Here is what I found after spending some time with an infected machine.  In
C:\Winnt\System32 there are two files, winampa.exe and winampa.exe.poly
which are both 226K.  There is also a service installed called Win leoahder.
In the registry in HKLM\Software\Microsoft\Windows\Current Version\Run and
Run Services there is a key named win leoahder.  I deleted the two registry
keys and the two files and I was able run regedit as well Norton. Not sure
if this was a virus a worm or some spyware.

-----Original Message-----
From: H. Morrow Long [mailto:morrow.long at yale.edu] 
Sent: Monday, February 16, 2004 9:41 PM
To: Jeff Nagel
Cc: unisog at sans.org
Subject: Re: [unisog] Virus?

Sounds like it could be the 'exploit' for the ASN.1 vulnerability
(MS04-007) in Windows which was released and is apparently being
actively exploited on the Internet.

- H. Morrow Long
   Director - Information Security Office
   Yale University, ITS

On Feb 16, 2004, at 1:26 PM, Jeff Nagel wrote:

> We've recently begun to see some machines with Blaster-like activity 
> such as
> the RPC message and then the machines reboots itself.  Virus protection
> seems to get disabled and when you try to do LiveUpdate it closes.  
> Another
> symptom is when you try to go into the registry is closes on you.  The
> machines also are showing outbound traffic on port 135.
>
> Any ideas?
>
> Jeff Nagel, MCP
> Network Support Specialist
> Wisconsin Lutheran College
>



More information about the unisog mailing list