[unisog] W32/Doxpar.worm outbreak @ SU campus

Alex Tirdil ajtirdil at salisbury.edu
Thu Feb 24 04:03:20 GMT 2005


Just to let all of you know, i have been able to get a copy of this
virus from one of the student machines we have that was infected.  If
anyone wants a copy for their own testing purposes, reply to me off-list
and I will send you an email with the virus attached.  Make sure you
turn off your AV so it wont be filtered.  I may also provide it via HTTP
on request.

-alex t
ajtirdil at salisbury.edu
Salisbury University

Alex Tirdil
Salisbury University
Network Control Specialist
AJTIRDIL at salisbury.edu
410-677-5367
>>> AJTIRDIL at salisbury.edu 02/23/05 6:37 PM >>>
Hey everyone,

Just wanted to give you all the heads-up.  We had a relatively minor,
but damaging virus outbreak on 2/18/05 around 8am in the morning.  Since
then more and more hosts have shown up until today when we finally got
the fix.

Mcafee DAT 02/23/05 detects it, this version and up will be the only
ones to detect it.
Norton DAT 02/17/05 can detect it.

I didnt bother looking at the other versions, very busy trying to get
these machines clean now.  But the virus is very nasty, read about it
here *>
http://securityresponse.symantec.com/avcenter/venc/data/w32.doxpar.html 

The DOS attack it does has been hurting our network ever since Friday. 
One of our core switches has been randomly rebooting since Friday and we
have had full link utilization (IE 2gbps) on some of the links to the
core in response to this virus.

All infected student machines had ports 21 and 25 open, this was
discovered via nmap.  If you can get on the machine, explorer.exe will
usually exhibit high CPU utilization.

We believe our students got infected by clicking a link in someones AIM
profile and going to a webpage, as one of the locations of the virus was
in temporary internet files.  The actual file I have found so far was
located in C:\windows\system32 and was named "ykaflo32.dll".

Just a heads up, this caused us MAJOR network problems so everyone keep
your eyes open.

-alex t

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog




More information about the unisog mailing list