[unisog] W32/Doxpar.worm outbreak @ SU campus

Alex Tirdil AJTIRDIL at salisbury.edu
Wed Feb 23 23:37:08 GMT 2005

Hey everyone,

Just wanted to give you all the heads-up.  We had a relatively minor, but damaging virus outbreak on 2/18/05 around 8am in the morning.  Since then more and more hosts have shown up until today when we finally got the fix.

Mcafee DAT 02/23/05 detects it, this version and up will be the only ones to detect it.
Norton DAT 02/17/05 can detect it.

I didnt bother looking at the other versions, very busy trying to get these machines clean now.  But the virus is very nasty, read about it here *> http://securityresponse.symantec.com/avcenter/venc/data/w32.doxpar.html 

The DOS attack it does has been hurting our network ever since Friday.  One of our core switches has been randomly rebooting since Friday and we have had full link utilization (IE 2gbps) on some of the links to the core in response to this virus.

All infected student machines had ports 21 and 25 open, this was discovered via nmap.  If you can get on the machine, explorer.exe will usually exhibit high CPU utilization.

We believe our students got infected by clicking a link in someones AIM profile and going to a webpage, as one of the locations of the virus was in temporary internet files.  The actual file I have found so far was located in C:\windows\system32 and was named "ykaflo32.dll".

Just a heads up, this caused us MAJOR network problems so everyone keep your eyes open.

-alex t

More information about the unisog mailing list