funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Panda worm

From: Craig Schmugar <craig () getvirushelp com>
Date: Sat, 28 Nov 2009 19:59:33 -0800
Here's some info:
http://vil.nai.com/vil/content/v_141204.htm
http://vil.nai.com/vil/content/v_244825.htm

-- Update November 25th, 2009--
A new variant of W32/Fujacks.worm was identified with some new
characteristics. This variant is installed as a hidden service on the
infected system. The following activities were observed:

Disables Safe boot and Network boot modes

Create the following files:

      * C:\WINDOWS\system32\dllcache\lsasvc.dll
      * C:\WINDOWS\system32\[random_name].dll
      * %TEMP%\Loopt.bat

where %TEMP% point to the temporary folder of the logged user.  

This variant also drop a rootkit component to a file named %WINDOWS%
\Temp\nthid.sys and execute it as a service. The file is deleted after
run. We detect this rootkit as W32/Fujacks!rootkit.

The [random_name].dll is the hidden service which check for the
existence of lsasvc.dll and the rootkit component and drop them if they
are not running.

Create the following registry key to restart on reboot:

      * HKLM\SYSTEM\CurrentControlSet\Services\[random_name]

where [random_name] is the same name as the file created above.

Create the following named pipes:

      * \\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
      * \\.\NtHid

Those pipes are used to communicate with the lsasvc.dll and the rootkit
component.

Modifies the content of %SYSTEM32%\drivers\etc\hosts to the following:

        127.0.0.1  localhost
        

Regards,
Craig

On Sat, 2009-11-28 at 21:10 -0600, RandallM wrote:

anyone have more info on what to look for? I don't want my Holiday
season destroyed!

 China warns about return of destructive Panda virus
The Panda Burning Incense worm had infected millions of Chinese PCs in
early 2007
By Owen Fletcher , IDG News Service , 11/27/2009

http://preview.tinyurl.com/yfcfwyg




_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: