Security Incidents: RE: New virus outbreak?

[Danny <Danny () drexel edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

|->BackDoor-JZ is not a virus but a remote access Trojan (RAT).  It does
|->not replicate by itself (if it did, it would be called a virus, or by
|->some, a worm, depending on the replication method).
|->
|->But, BackDoor-JZ is a single file malware so it seems you have a
|->little more than just BackDoor-JZ...
|->

Your right, sorry about that and I see your point. BTW I did not mean to sound like an alarmist with the subject there 
was supposed to be a "?" on there.

|->> > cbnegs.exe
|->> > Winlogon .exe
|->> > sjhdyl.exe
|->> > kbld.exe
|->> > duckduck.exe
|->> > explorer .exe
|->> > ~xxxxx
|->> > oocfwm.exe
|->> > gwigsb.exe
|->> > jkexnj.exe
|->> > lknq.exe
|->> > kjnj.exe
|->
|->All on one machine, or is that an assemblage of names from many of
|->the victims?  You see, most RATs can be renamed anything an
|->"attacker" wishes and they work just the same.  And most viruses will
|->infect any file or will work regardless of the filename they run
|->from.  The same is true of most instances of file-borne malware,
|->regardless of its purpose.  Thus, filenames are very weak to useless
|->diagnostics...
|->

- From what I'm told this is an assemblage of the names of a few victims. Again I'm sorry I don't have access to the 
infected hosts so I don't have 1st hand knowledge of how this beasty makes the host react. But I'm trying to get access 
to an infected host.



|->> The virus appears to infect Windows hosts regardless of the OS
|->> version. It appears to alter the start menu items of infected hosts
|->> and makes them look garbled. At this time I don't know how this
|->> virus is spreading but I will let you know if I find out, none of
|->> the hosts I have access to are currently infected but it appears to
|->> be spreading through our sister network pretty quickly.
|->
|->Given it hits all versions of Windows, and assuming you told us that
|->because you have a fair sprinkling of different Windows versions
|->(which seems likely for a .edu), I'd suggest that it is probably
|->spreading through open or easily guessed or otherwise compromised
|->common account or simply through the age-old "try for open shares"
|->approach.
|->

That is my 1st thought as well, I just haven't been able to confirm it yet.

|->> Has anyone seen anything like this? Or recognize the signature
|->> maybe?
|->
|->All the time.
|->
|->The odds are very high that they have been hit by some kind of bot-
|->net, created from a raft of common system admin tools, possibly a IRC
|->client (usually a renamed copy of mIRC), possibly an FTP server
|->(ServU is popular for this), possibly a DDoS agent and/or some RAT
|->(many RATs have DDoS functionality built-in) and a bunch of scripts
|->(.BAT, .INI for the servers, etc), .REG files, and so on to "drive"
|->it all.  Also, of late, it is becoming increasingly common for these
|->things to auto-detect _and_ auto-compromise further hosts (in the
|->early days this was usually left as manual task for the bot-net
|->owner).  At least for ones that do not auto-spread, there is often
|->little for virus scanners to detect, as the applications are
|->"legitimate" so necessarily detecting them would be a false positive
|->in many (probably most) situations) and the scripts are so malleable
|->and variable that they are easily altered to achieve the same result
|->but avoid detection.
|->
|->> Any info would be greatly appreciated.
|->
|->You say that NAV does not detect anything and that McAfee
|->"mis-detects" Backdoor-JZ -- try sending them samples of the all the
|->files that you suspect are related to this thing (from one machine)
|->and see what their analysts say.  In fact, you may prefer trying a
|->few other AV companies too -- here is a list of the sample and
|->suspect file submission addresses of the better-known AV developers:

I only say mis-detects it since even when the McAfee AV scanner tells the admin the system as been cleaned it is 
reinfected after a reboot. I've asked them to try scanning in safe mode but as of yet have not heard if this has 
changed the reinfection situation

|->
|->   Command Software             <virus () commandcom com>
|->   Computer Associates (US)     <virus () ca com>
|->   Computer Associates (Vet/EZ) <ipevirus () vet com au>
|->   DialogueScience (Dr. Web)    <Antivir () dials ru>
|->   Eset (NOD32)                 <sample () nod32 com>
|->   F-Secure Corp.               <samples () f-secure com>
|->   Frisk Software (F-PROT)      <viruslab () f-prot com>
|->   Grisoft (AVG)                <virus () grisoft cz>
|->   H+BEDV (AntiVir):            <virus () antivir de>
|->   Kaspersky Labs               <newvirus () kaspersky com>
|->   Network Associates (McAfee)  <virus_research () nai com>
|->   Norman (NVC)                 <analysis () norman no>
|->   Sophos Plc.                  <support () sophos com>
|->   Symantec (Norton)            <avsubmit () symantec com>
|->   Trend Micro (PC-cillin)      <virus_doctor () trendmicro com>
|->     (Trend may only accept files from registered users of its products)
|->
|->

As soon as I get a copy of the files I'll fire them off to all the vendors who have asked for a copy as well as those 
listed here.

Thanks again Nick, 

Cheers 

Danny

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPmk9oGb1zPz07fHgEQLnCwCfU+KFsroq7HXI+s9yNRG82mczeiQAnAvP
BbukUGt0MHtlMIL8q0Hk1iSd
=p0Dl
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>