[unisog] New Worm?

Mary Ng maryng at Princeton.EDU
Thu Jun 3 17:36:26 GMT 2004


Good Afternoon,

We have been detecting a number of our fully patched Windows NT/2000
Workstations/Servers running the latest virus definition files being
compromised with the following symptoms:

1. Virus Realtime Protection is disabled
2. A folder called bin which contains several service executables and work
files is hidden under the recycler folder
3. Compromised systems have an FTP service installed communicating on ports
3250 and 59980
4. The bin folder also contains Winvnc.exe and servuftp.exe server (renamed
as svchost.exe)
5. The SVCHOST.exe is a trojan and actually calls serv-u.exe. Its display
name is NTLM Service Agent, registry entry is under
HKLM\System\CurrentControlSet\Services\SrvAgent 
6. There is a running a process called MSWDMSS.exe, this service runs a
command line based executable called msimn.exe (This executable is a Trojan
and is placed in the system32 folder)
7. There is also a script blocking service and registry entries for all
three services though none appear under Run

There is currently no removal tools published from the vendors. However, we
have reported this incident to Symantec.  As of now we have been running
port scans and cleaning infected systems manually.

Are other universities experiencing anything like this?

Best Regards,

Mary Ng
Security Specialist
Princeton University




More information about the unisog mailing list