From: "Dave Duke" <dave.duke () cryptic co uk>
Reply-To: <dave.duke () cryptic co uk>
To: "'Danny'" <Danny () drexel edu>, <incidents () securityfocus com>
Subject: RE: New virus outbreak.
Date: Fri, 7 Mar 2003 23:39:34 -0000
MIME-Version: 1.0
Received: from outgoing3.securityfocus.com ([205.206.231.27]) by
mc8-f22.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, 10 Mar
2003 10:16:38 -0800
Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid
3B455A30B1; Mon, 10 Mar 2003 10:06:13 -0700 (MST)
Received: (qmail 18824 invoked from network); 7 Mar 2003 23:33:09 -0000
X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <incidents.list-id.securityfocus.com>
List-Post: <mailto:incidents () securityfocus com>
List-Help: <mailto:incidents-help () securityfocus com>
List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
Delivered-To: mailing list incidents () securityfocus com
Delivered-To: moderator for incidents () securityfocus com
Organization: Cryptic
Message-ID: <000501c2e502$d34ed750$b893bd3e () cryptic co uk>
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook, Build 10.0.4510
In-Reply-To:
<E67283CC1C441B4F9894595F00D9EA4213FD5D41 () EXCHANGE1 drexel edu>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: High
Return-Path:
incidents-return-5171-koremeltdown=hotmail.com () securityfocus com
X-OriginalArrivalTime: 10 Mar 2003 18:16:38.0224 (UTC)
FILETIME=[310E7500:01C2E731]
I would be interested as a security person to test these viri against
cybersight, does anyone have some examples of un-detected viri?
Dave
-----Original Message-----
From: Danny [mailto:Danny () drexel edu]
Sent: 07 March 2003 22:42
To: 'intrusions () incidents org'
Cc: 'incidents () securityfocus com'
Subject: New virus outbreak.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey Guys,
We have been alerted to a virus outbreak by one of our sister
networks that appears to be new and undetected by Norton AV and is
mis-detected by McAfee. McAfee detects this virus as backdoor-jz but is
unable to clean the virus. Sorry I don't have a whole lot of details on
this
yet but here is a list of the files running on infected systems.
>
> These are the virus processes that we've seen running:
>
> cbnegs.exe
> Winlogon .exe
> sjhdyl.exe
> kbld.exe
> duckduck.exe
> explorer .exe
> ~xxxxx
> oocfwm.exe
> gwigsb.exe
> jkexnj.exe
> lknq.exe
> kjnj.exe
The virus appears to infect Windows hosts regardless of the OS version. It
appears to alter the start menu items of infected hosts and makes them look
garbled. At this time I don't know how this virus is spreading but I will
let you know if I find out, none of the hosts I have access to are
currently
infected but it appears to be spreading through our sister network pretty
quickly.
Has anyone seen anything like this? Or recognize the signature maybe?
Any info would be greatly appreciated.
Cheers
Danny
Network Security Engineer
Drexel University
PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0 PGP Key:
http://akasha.irt.drexel.edu/danny.asc
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPmkhA2b1zPz07fHgEQItBwCbBxNG2j/HPrqgwAfoyZhMy4CXvp0AoMqM
fACTSk3u63sEDW+okA5XssUL
=D2mI
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>
Intro
