RE: Possible virus?

["Spencer D'oro" <sdoro () comcast net>]

 It looks like everyone agrees that this is a virus.  However, I recently
ran into an instance when something other than IRC was using ports 6666,
6667 and 6668.  It is the UPS PowerChute program.  I found this out by using
F-Port to tie processes to ports.  (Funny, it was an NT box, and I had to
find and DL an older version of F-Port; 2.0 is no longer backward compatible
with NT, you have to use 1.33 F-PortNG).

I mention this because when I first saw these ports open and listening, I
instantly thought IRC Zombie, and almost ran to tell the client.  I decided
to investigate further and bring the client a full analysis of what
happened.  Turns out I was wrong, and would have freaked out the client for
nothing.

I know this is not the case here, and I know there was much evidence other
than ports to support viral attack, but I thought I should mention it here.
I don't know if CyberPower uses the ports by default, just thought I should
let others know.

-----Original Message-----
From: Srecko Jovancevic [mailto:xxx-x () amadeus uni-bk ac yu] 
Sent: Monday, December 15, 2003 10:59 PM
To: 'Dinesh'; 'Jennifer Fountain'; security-basics () securityfocus com
Subject: RE: Possible virus?

it is a virus win32.rmvalla worm 

it corresponds to the same simptomes 

-----Original Message-----
From: Dinesh [mailto:dinesh () drw net]
Sent: Monday, December 15, 2003 8:41 PM
To: Jennifer Fountain; security-basics () securityfocus com
Subject: Re: Possible virus?


Jennifer,

Could be an Eggdrop script running on one of your servers that is causing 
this traffic.
Port 6667 is used for IRC (Internet Relay Chat).

Looks like it is on the box with the IP 69.50.163.130
Check the running processes on the box and look for anomalies.

Dinesh


****

At 09:46 AM 12/15/03 -0500, Jennifer Fountain wrote:
> Hi all,
>
> I have been seeing a lot of strange traffic hitting my firewall and
> cannot get a definite as to what it actually is.
>
> Dec 15 01:42:35 fw.domain.com Dec 15 2003 01:37:38: %PIX-3-106011: Deny
> inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
> outside:x.x.x.x/2363
> Dec 14 10:56:43 fw.domain.com Dec 14 2003 10:51:55: %PIX-3-106011: Deny
> inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
> outside:x.x.x.x/4001
> Dec 13 23:00:15 fw.domain.com Dec 13 2003 22:55:34: %PIX-3-106011: Deny
> inbound (No xlate) tcp src outside:69.50.163.130/6667 dst
> outside:x.x.x.x/2423
> Dec 13 23:50:51 fw.domain.com Dec 13 2003 23:46:09: %PIX-4-106023: Deny
> tcp src outside:68.34.60.101/6667 dst inside:x.x.x.x/1726 by
> access-group "outside_access_in"
>
> > From what I am seeing, it is from the same ip and src port - 6667 but
> going to different ip and dest ports.  I have seen this activity from
> numerous hosts and a dig cannot find anything about them.
>
> I have seen an massive increase of this traffic over the last couple of
> days and can't find any conclusive evidence that it may be a virus in
> the wild.  Has anyone else seen this type of traffic?
>
> Any information is greatly appreciated.
> Jenn
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
-








---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------