New or existing virus/vulnerability in Windows software?

• Previous message (by thread): The irony.. (Re: Blocking port 135?)
• Next message (by thread): New or existing virus/vulnerability in Windows software?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Everyone,
 
We are having fits with a new? virus or vulnerability.  The simptoms are
as follows: an executable saatg.exe "appears" in the startup folder of
the All Users group and after a reboot launches itself.  It adds a
registry entry under
HKEY_LOCAL_MACHINE/Software/Microsoft/CurrentVersion/Run.  The
executable shows under processes and seems to also launch additional
processes, e.g. ~1.exe, ~2.exe, ~3.exe, etc.  I can not link any
malicious activity to this behavior, but it seems to be spreading like
wildfire on our network, apparantely with absolutely no user activity.
In testing I have do thus far it finds its was on to a _virgin_ system
that has been installed disconnected from the network with CD media
including all relevent security patches.  Panda anti-virus does not seem
to detect it either.  It shows up on systems where there is no
interactive login, e.g. servers, regular users, and users with elevated
privelages.  Additionally once the executable is active is
systematically searches for other systems to share the good news with on
port TCP 135.  I am aware of the recent vulnerabilities from Microsoft
regarding RPC and netbios, but again, the recommended security fixes do
not seem to provide any relief.  Does anyone have any insight into what
this thing is?  TIA
 
Dan Lockwood
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20030802/48a245f4/attachment.html>

• Previous message (by thread): The irony.. (Re: Blocking port 135?)
• Next message (by thread): New or existing virus/vulnerability in Windows software?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]