----- Original Message -----
From: "Humes, David G." <David.Humes_at_jhuapl.edu>
To: <incidents_at_securityfocus.com>
Sent: Friday, July 09, 2004 2:01 PM
Subject: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from
67.109.249.3
> Starting around July 8th we noticed workstations trying to access
> 67.109.249.3 on port 80 and do a
>
> GET /download/IEService215.chm HTTP/1.1
>
> Analysis of the users' browsing activity did not reveal any pattern that
> would suggest that the activity was user-initiated. We suspect that this
is
> something trying to "phone home", but not sure quite what. A reverse
lookup
> of the IP just returns 67.109.249.3.ptr.us.xo.net, and whois just tells me
> that it belongs to XO. Has anyone else seen this and know what it is?
>
After consulting with some experts, the chm file is VBS\Psyme and it
downloads IEService215.exe from the same site. *That* file is
Trojan.Win32.StartPage.kf. Your computers are infected. I'm sending
samples of both the chm file and the exe to the AV vendors, and I've
notified XO's abuse address to take the host offline.
Thanks to both Blue Boar and Joe Stewart for their help with this.
Paul Schmehl (pauls_at_utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
Received on Jul 12 2004
Intro
