Polazzo Justin
08/04/04, 21:45
I know that it is bad form to reply to your own post, but here it goes =
anyway:
There is an accompanying file called nwiz.exe in the \Winnt folder.
The worm/virus writes the following to an infected machines hosts file
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
I also noticed that the fully patched and av protected machines that =
were infected had lame administrator passwords (and the account =
"Administrator" had not been renamed), which is the most likely point of =
compromise.
All in all not something to worry about unless you dont have MS03-039 or =
use 123456 as your admin password :)
jp
-----Original Message-----
From: owner-appsec-research@linuxbox.org
[mailto:owner-appsec-research@linuxbox.org]On Behalf Of Polazzo Justin
Sent: Thursday, April 08, 2004 9:53 AM
To: appsec-research@linuxbox.org
Cc: bugtraq@securityfocus.com
Subject: [AppSec-research] New Worm/Virus April 8th
Mail from "Polazzo Justin" <Justin.Polazzo@facilities.gatech.edu>
Concerning the new worm type infection spreading around today (6:15am =
EST)
the file is called ndemon.exe (.99k) and it puts itself into c:\winnt =
and c:winnt\system32. Registry entries =
HKLM\Software|Microsoft|CurrentVersion\Run and =
HKLM\Software|Microsoft|CurrentVersion\RunServices (Think it creates =
that one).=20
At first look:
it then tries to propagate itself via MS ports 135, and 139 VIA known =
flaws and password guessing. It also listens for other infected machines =
on port 1025 and scans for MS IIS boxes on port 80 (to try known =
exploits as well)
The infected machines were win2k SP4 (fully Patched) Running Symantec AV =
v8.6
Just a heads up
jp
Justin Polazzo=20
CSS II, Facilities IT=20
Georgia Institute of Technology
915 Atlantic Drive=20
Atlanta, GA 30332-0350=20
404-894-6804 Voice=20
404-894-8088 Facsimile=20
justin.polazzo@facilities.gatech.edu=20
Request assistance at < http://it.facilities.gatech.edu/it-helpdesk.php> =
Submit a question or comment at < =
http://it.facilities.gatech.edu/comments.php>
http://www.cauce.org A site to help fight Spam=20
The information transmitted is intended only for the person or entity to =
which it is addressed and may contain confidential and/or privileged =
material. Any review, retransmission, dissemination or other use of, or =
taking of any action in reliance upon, this information by persons or =
entities other than the intended recipient is prohibited.
If you received this in error, please contact the sender and delete the =
material from any computer.
-
AppSec-Research, the place for Reverse Engineers.
To unsubscribe send mail to majordomo@linuxbox.org
with 'unsubscribe AppSec-Research' in the message body.
anyway:
There is an accompanying file called nwiz.exe in the \Winnt folder.
The worm/virus writes the following to an infected machines hosts file
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
I also noticed that the fully patched and av protected machines that =
were infected had lame administrator passwords (and the account =
"Administrator" had not been renamed), which is the most likely point of =
compromise.
All in all not something to worry about unless you dont have MS03-039 or =
use 123456 as your admin password :)
jp
-----Original Message-----
From: owner-appsec-research@linuxbox.org
[mailto:owner-appsec-research@linuxbox.org]On Behalf Of Polazzo Justin
Sent: Thursday, April 08, 2004 9:53 AM
To: appsec-research@linuxbox.org
Cc: bugtraq@securityfocus.com
Subject: [AppSec-research] New Worm/Virus April 8th
Mail from "Polazzo Justin" <Justin.Polazzo@facilities.gatech.edu>
Concerning the new worm type infection spreading around today (6:15am =
EST)
the file is called ndemon.exe (.99k) and it puts itself into c:\winnt =
and c:winnt\system32. Registry entries =
HKLM\Software|Microsoft|CurrentVersion\Run and =
HKLM\Software|Microsoft|CurrentVersion\RunServices (Think it creates =
that one).=20
At first look:
it then tries to propagate itself via MS ports 135, and 139 VIA known =
flaws and password guessing. It also listens for other infected machines =
on port 1025 and scans for MS IIS boxes on port 80 (to try known =
exploits as well)
The infected machines were win2k SP4 (fully Patched) Running Symantec AV =
v8.6
Just a heads up
jp
Justin Polazzo=20
CSS II, Facilities IT=20
Georgia Institute of Technology
915 Atlantic Drive=20
Atlanta, GA 30332-0350=20
404-894-6804 Voice=20
404-894-8088 Facsimile=20
justin.polazzo@facilities.gatech.edu=20
Request assistance at < http://it.facilities.gatech.edu/it-helpdesk.php> =
Submit a question or comment at < =
http://it.facilities.gatech.edu/comments.php>
http://www.cauce.org A site to help fight Spam=20
The information transmitted is intended only for the person or entity to =
which it is addressed and may contain confidential and/or privileged =
material. Any review, retransmission, dissemination or other use of, or =
taking of any action in reliance upon, this information by persons or =
entities other than the intended recipient is prohibited.
If you received this in error, please contact the sender and delete the =
material from any computer.
-
AppSec-Research, the place for Reverse Engineers.
To unsubscribe send mail to majordomo@linuxbox.org
with 'unsubscribe AppSec-Research' in the message body.