[unisog] zotob variant?

Brian Smith-Sweeney bsmithsweeney at nyu.edu
Fri Aug 26 20:12:34 GMT 2005


Carol Myers wrote:
> I received the following and haven't found anything yet, symantec or 
> otherwise, that is helping with this college's issue...here's the text
> 
> I was wondering if any of you have encountered problems like we have. On 
> or around the 14^th , I believe we were hit with a worm on our Windows 
> 2000 systems. I believe it is the same **type** of worm that is 
> responsible for zotob, but Symantec says nothing about what I’m seeing.
> 
> Here are some of the tell-tale signs:
> A local account is created called ExchangeAdmin that is made an 
> administrator.
> A service is created called “Users service for disk management requests” 
> that points to CHKDSK32 in WINNT\System32.
> 
> Any thoughts or suggestions at this point would be greatly appreciated. 
> Thanks.
> 

Might just be a kiddie abusing MS05-039 with their own kit.   If they're 
using something like a generic ftp server or they've installed a rootkit 
Symantec might not pick it up.

I'd guess CHKDSK32 is an ftp/irc/etc server.  Is it listening on any 
ports?  Does netstat show different results than a remote portscan, 
indicating rootkit?


-Brian


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney      Sr. Network Security Analyst
ITS Technology Security Services, New York University
bsmithsweeney at nyu.edu
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


More information about the unisog mailing list