[unisog] New Worm?

Jason Richardson A00JER1 at wpo.cso.niu.edu
Thu Jun 3 19:31:47 GMT 2004


We're doing the same.  I'll report back later today.

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich at niu.edu



>>> andy at umbc.edu 6/3/2004 2:23:54 PM >>>


Thanks for the heads-up, Mary!

I'm running nmap:

	nmap -sV -p 3250,59980 -oA 040603-1 -iL
/usr/local/etc/campus_ip_list

to see if we have anything matching the profile.  If we get hits, I'll
try to get to them and post what I find on the list.


					- Andy Johnston

On Thu, 3 Jun 2004, Mary Ng wrote:

> Good Afternoon,
>
> We have been detecting a number of our fully patched Windows NT/2000
> Workstations/Servers running the latest virus definition files being
> compromised with the following symptoms:
>
> 1. Virus Realtime Protection is disabled
> 2. A folder called bin which contains several service executables and
work
> files is hidden under the recycler folder
> 3. Compromised systems have an FTP service installed communicating on
ports
> 3250 and 59980
> 4. The bin folder also contains Winvnc.exe and servuftp.exe server
(renamed
> as svchost.exe)
> 5. The SVCHOST.exe is a trojan and actually calls serv-u.exe. Its
display
> name is NTLM Service Agent, registry entry is under
> HKLM\System\CurrentControlSet\Services\SrvAgent
> 6. There is a running a process called MSWDMSS.exe, this service runs
a
> command line based executable called msimn.exe (This executable is a
Trojan
> and is placed in the system32 folder)
> 7. There is also a script blocking service and registry entries for
all
> three services though none appear under Run
>
> There is currently no removal tools published from the vendors.
However, we
> have reported this incident to Symantec.  As of now we have been
running
> port scans and cleaning infected systems manually.
>
> Are other universities experiencing anything like this?
>
> Best Regards,
>
> Mary Ng
> Security Specialist
> Princeton University
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/unisog 
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *                            
    **
**                                        * PGP key:(afj2002)
4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3
21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48
B0 56 **
------------------------------------------------------------------------------
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list