[unisog] New Worm?

Anderson Johnston andy at umbc.edu
Thu Jun 3 19:23:54 GMT 2004



Thanks for the heads-up, Mary!

I'm running nmap:

	nmap -sV -p 3250,59980 -oA 040603-1 -iL /usr/local/etc/campus_ip_list

to see if we have anything matching the profile.  If we get hits, I'll
try to get to them and post what I find on the list.


					- Andy Johnston

On Thu, 3 Jun 2004, Mary Ng wrote:

> Good Afternoon,
>
> We have been detecting a number of our fully patched Windows NT/2000
> Workstations/Servers running the latest virus definition files being
> compromised with the following symptoms:
>
> 1. Virus Realtime Protection is disabled
> 2. A folder called bin which contains several service executables and work
> files is hidden under the recycler folder
> 3. Compromised systems have an FTP service installed communicating on ports
> 3250 and 59980
> 4. The bin folder also contains Winvnc.exe and servuftp.exe server (renamed
> as svchost.exe)
> 5. The SVCHOST.exe is a trojan and actually calls serv-u.exe. Its display
> name is NTLM Service Agent, registry entry is under
> HKLM\System\CurrentControlSet\Services\SrvAgent
> 6. There is a running a process called MSWDMSS.exe, this service runs a
> command line based executable called msimn.exe (This executable is a Trojan
> and is placed in the system32 folder)
> 7. There is also a script blocking service and registry entries for all
> three services though none appear under Run
>
> There is currently no removal tools published from the vendors. However, we
> have reported this incident to Symantec.  As of now we have been running
> port scans and cleaning infected systems manually.
>
> Are other universities experiencing anything like this?
>
> Best Regards,
>
> Mary Ng
> Security Specialist
> Princeton University
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *                                 **
**                                        * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list