Israeli ISP's experience broadband dialer malware outbreak

• Previous message (by thread): A Road Runner NOC contact
• Next message (by thread): Agenda so far for NANOG33
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I received several notices today from fellow ISP's, originally from an 
Israeli ISP's security information sharing mailing list, that several 
large Israeli ISP's experience an outbreak that cause tech support lines 
to overflow.

Basically, this malware appears to change dialer configuration for 
broadband users. "Advanced" setting is turned back to "Basic", Local 
Area Connection is being played with, the user name is changed to 
<random number>username, etc.

The users get the following errors: 734 ,769, 789 or 800.

On the press, several rumors are circulating:
1. This thing is from Kazaa.
2. Process names are: chksp2.exe, sp2ctr.exe and glwgmgeb.exe.
3. Also, this link has been provided: 
http://www.sophos.com/virusinfo/analyses/trojdlucam.html

We haven't yet got my hands on a sample, but I hope to have one soon.

I haven't seen any chatter about this in AV forums.. and for now it 
seems to be limited to Israel unless someone can inform me differently?

	Gadi.

• Previous message (by thread): A Road Runner NOC contact
• Next message (by thread): Agenda so far for NANOG33
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]