[unisog] zotob variant?

Gary Flynn flynngn at jmu.edu
Thu Oct 13 12:25:12 GMT 2005


Carol Myers wrote:
> I received the following and haven't found anything yet, symantec or 
> otherwise, that is helping with this college's issue...here's the text
> 
> I was wondering if any of you have encountered problems like we have. On 
> or around the 14^th , I believe we were hit with a worm on our Windows 
> 2000 systems. I believe it is the same **type** of worm that is 
> responsible for zotob, but Symantec says nothing about what I’m seeing.
> 
> Here are some of the tell-tale signs:
> A local account is created called ExchangeAdmin that is made an 
> administrator.
> A service is created called “Users service for disk management requests” 
> that points to CHKDSK32 in WINNT\System32.

Get a sample and submit it Virustotal at:
http://www.virustotal.com/xhtml/index_en.html

They'll run multiple vendor's AV products against
it. Also submit a sample to Symantec if that is
your AV vendor.

I'm running across an unknown piece of malware almost
once a week. More often if I look for it.

Were the machines patched? Did they have a strong
Administrator password?

-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security


More information about the unisog mailing list