Israeli ISP's experience broadband dialer malware outbreak
Gadi Evron
ge at linuxbox.org
Wed Dec 22 16:36:57 UTC 2004
I received several notices today from fellow ISP's, originally from an
Israeli ISP's security information sharing mailing list, that several
large Israeli ISP's experience an outbreak that cause tech support lines
to overflow.
Basically, this malware appears to change dialer configuration for
broadband users. "Advanced" setting is turned back to "Basic", Local
Area Connection is being played with, the user name is changed to
<random number>username, etc.
The users get the following errors: 734 ,769, 789 or 800.
On the press, several rumors are circulating:
1. This thing is from Kazaa.
2. Process names are: chksp2.exe, sp2ctr.exe and glwgmgeb.exe.
3. Also, this link has been provided:
http://www.sophos.com/virusinfo/analyses/trojdlucam.html
We haven't yet got my hands on a sample, but I hope to have one soon.
I haven't seen any chatter about this in AV forums.. and for now it
seems to be limited to Israel unless someone can inform me differently?
Gadi.
More information about the NANOG
mailing list