Speaking of viruses...

• Previous message (by thread): Speaking of viruses...
• Next message (by thread): Community meeting RealMedia available
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This file is also detected by CA's eTrust as Win32.TorBot




                                                                           
             Adam Maloney                                                  
             <adam at whee.org>                                               
             Sent by:                                                   To 
             owner-nanog at merit         nanog at merit.edu                     
             .edu                                                       cc 
                                                                           
                                                                   Subject 
             02/10/2005 03:08          Speaking of viruses...              
             PM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





I sent this to CERT this morning.  They apparently were unaware of it, and
as far as I can tell there's nothing on any of the A/V sites about it.  As
of 14:00 CST, these sites are still serving up the virus executable.  I
haven't heard anything back from CERT or UCLA.  Am I the only one seeing
this?!

>From adam at whee.org Thu Feb 10 10:24:16 2005
Date: Thu, 10 Feb 2005 10:24:15 -0600 (CST)
From: Adam Maloney <adam at whee.org>
To: cert at cert.org
Cc: abuse at ucla.edu
Subject: Attn: Bob - Dust.exe

CC'd to abuse at ucla.edu - UCLA, your option "2" for your abuse desk rings to
an
invalid number.

On Monday morning a bunch of our Win2k PC's got infected with a virus. We
are
seeing the infected machines attempting to make FTP connections to various
IP's
- the one's I've seen so far are in UCLA and MIT address space.  The client

connects to the FTP server (all have been Serv-U running under Windows),
logs
in with username "1", password "1", and retrieves Dust.exe

Some of the IP's I've seen connections to:
18.242.5.42 (MIT)
18.241.5.89 (MIT)
169.232.117.223 (UCLA)

The Dust.exe process attempts to install infected files named Jah.exe and
Gamma.exe  Jah is detected by Trend as WORM_RBOT.alo  Gamma is detected as
"possible virus".

Starting this morning Trend started detecting Dust as TROJ_SCNDTHOT.ab
When the machine tried to download it from MIT, Trend caught it as above.
When
it tried to UCLA, Trend did not catch it, and the download succeeded.

When this hit on Monday, we saw infected PC's trying to infect other
machines over tcp/445.  They were trying random IP's in the address space
that the infected computer was configured in.  We did not see any FTP
connections Monday morning like these, however we weren't really looking
for them.

-- END --

After this was sent, I've found some more details.  The Dust.exe file is
also being served by IP's at ThePlanet and ncsd.edu.  The file from UCLA
is about 5K bigger than the files served by the other sites.  This
explains why Trend was catching it when served by MIT but not by UCLA.

After some more investigation, it looks like an infected machine uses a
tcp/445 vulnerability to infect others.  Once the others are hit on 445,
they are instructed to download the payload from these FTP sites.

I've made copies of the files available to CERT.  I'm waiting on Trend to
react to our support request from this morning.

• Previous message (by thread): Speaking of viruses...
• Next message (by thread): Community meeting RealMedia available
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]