Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

re: Potential Virus Problem

from [infosecgroup] Network Security [Permanent Link]
Subject: re: Potential Virus Problem
Date: Wed, 6 Apr 2005 23:53:11 -0600 
I work at a large University in the Infosec office.  We have had a
about a dozen new variants of S/D bot in our environment in the last 6
months. We find and send the malicious file(s) to McAfee and they send
us an extra.dat file back which will find and remove the new bug.  How
to submit a file is published on their website.  We usually get an
extra.dat file back from them in a few hours, but it takes about a
week for the new signature to be included in the regular update.  This
is longer than I would have thought.   As I understand the source code
for the S/D bot is published somewhere on the internet so it can be
easily modified.  McAfee would find any of them when they first
appeared, but will find all 12 now.  All of our S/D botted hosts were
connecting out to an IRC site, so once we find the first one we can
use the frontdoor FW logs the find the rest of the compromised boxes.
One of our special SD bots  was trying to connect to the a 10.x.x.x
ip???  This seemed odd to me.   The extra.dat McAfee sends will find
and remove the bot.  We alway recommend a full rebuild, but few techs
or end user do this.


Steve Earls wrote:


Some of our business units are experiencing problems
with a potential virus. We have searched the Web and
various AV sites without much luck. Can anyone shed
some light on the following symptoms? 

The symptoms are:

4 files appear in the winnt\system32 folder.
ihotunib.exe, ikusefote.exe, rudim.exe and
imaxavos.exe. These executables imbed themselves into
the registry and kick off processes that inurn lock
out user accounts at other company locations.

Once these files are removed, it appears that a
rpc_svchost process kicks off and consumes 99% of the
available processor time. This renders the systems
un-useable. 

W2k and XP systems are affected. The following seem to
hit pretty close but not dead-on. 

·         Win32/SdBot.45568!Worm (also known as:
Backdoor.Win32.SdBot.gen)

·         Win32.Slinbot.ACT (also known as:
W32/Sdbot.worm.gen.j, Backdoor.Win32.SdBot.gen)




Steve



              
__________________________________ 
Do you Yahoo!? 
Yahoo! Personals - Better first dates. More second dates. 
http://personals.yahoo.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Potential Virus Problem, Steve Earls
Next by Date:  R: Potential Virus Problem, Lino Riccobono
Previous by Thread:  Potential Virus Problem, Steve Earls
Next by Thread:  R: Potential Virus Problem, Lino Riccobono
Indexes:  [Date] [Thread] [Top] [All Lists]