a new virus?

  • Thread starter Thread starter Rodrigo Ventura
  • Start date Start date
R

Rodrigo Ventura

This looks like a new virus; OfficeScan is unable to find it. Here
goes the syntoms:

- exploits port 445; massively tries random IPs in the same subnet the
machine is on; this leads to a ARP storm;

- opens a backdoor at some port; responds to connections to that port
with the message "220 StnyFtpd 0wns j0"; this may look like
WORM_KIBUV.B, but its behaviour differs w.r.t. the other syntoms;

- opens an IRC connection to the IP 66.219.107.140 port 31375; I
intercepted these two messages:

(1) "PRIVMSG #Exploit :[lsass_445]: Exploiting "
(2) ":HyperX.DarK.Com 404 nirjwmd #Exploit :No "

and the IRC server identifies itself as "HyperX.DarK.Com (¤DarK¤
NeTworKs Root Server)";

- one of the infected machines identifies itself to the IRC server as
"nirjwmd ([email protected])";

Any clues? Any place where it may be useful to report this info to?

Cheers,

Rodrigo

--

*** Rodrigo Martins de Matos Ventura <[email protected]>
*** Web page: http://www.isr.ist.utl.pt/~yoda
*** Teaching Assistant and PhD Student at ISR:
*** Instituto de Sistemas e Robotica, Polo de Lisboa
*** Instituto Superior Tecnico, Lisboa, PORTUGAL
*** PGP fingerprint = 0119 AD13 9EEE 264A 3F10 31D3 89B3 C6C4 60C6 4585
 
Rodrigo Ventura said:
This looks like a new virus; OfficeScan is unable to find it. Here
goes the syntoms:

- exploits port 445; massively tries random IPs in the same subnet the
machine is on; this leads to a ARP storm;
- opens an IRC connection to the IP 66.219.107.140 port 31375; I
intercepted these two messages:
Click to expand...

Using the lsass exploit, scanning the network, and talking to an IRC server.
I immediately think an Agobot variant. You can report to it to any number
of antivirus vendors, but their reply will probably be a generic virus
identification that won't help you clean it. If this thing is already
uploading info to an irc server, and it's on a domain, you're going to want
to change all your passwords after you get it cleaned off.
 
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt238.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

You can also try some of the below online scanners.

BitDefender:
http://www.bitdefender.com/scan/license.php

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

DialogueScience:
http://www.antivir.ru/english/www_av/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

PC Pitstop
http://www.pcpitstop.com/antivirus/AVLoad.asp

RAV
http://www.ravantivirus.com/scan/

Symantec:
http://security.symantec.com/

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com


* * * Please report your results ! * * *

Dave




|
| This looks like a new virus; OfficeScan is unable to find it. Here
| goes the syntoms:
|
| - exploits port 445; massively tries random IPs in the same subnet the
| machine is on; this leads to a ARP storm;
|
| - opens a backdoor at some port; responds to connections to that port
| with the message "220 StnyFtpd 0wns j0"; this may look like
| WORM_KIBUV.B, but its behaviour differs w.r.t. the other syntoms;
|
| - opens an IRC connection to the IP 66.219.107.140 port 31375; I
| intercepted these two messages:
|
| (1) "PRIVMSG #Exploit :[lsass_445]: Exploiting "
| (2) ":HyperX.DarK.Com 404 nirjwmd #Exploit :No "
|
| and the IRC server identifies itself as "HyperX.DarK.Com (¤DarK¤
| NeTworKs Root Server)";
|
| - one of the infected machines identifies itself to the IRC server as
| "nirjwmd ([email protected])";
|
| Any clues? Any place where it may be useful to report this info to?
|
| Cheers,
|
| Rodrigo
|
| --
|
| *** Rodrigo Martins de Matos Ventura <[email protected]>
| *** Web page: http://www.isr.ist.utl.pt/~yoda
| *** Teaching Assistant and PhD Student at ISR:
| *** Instituto de Sistemas e Robotica, Polo de Lisboa
| *** Instituto Superior Tecnico, Lisboa, PORTUGAL
| *** PGP fingerprint = 0119 AD13 9EEE 264A 3F10 31D3 89B3 C6C4 60C6 4585
 
David> * * * Please report your results ! * * *

McAfee AVERT WebImmune detected a virus in the winxp2.exe file:
w32/sdbot.worm.gen.h.

Cheers,

Rodrigo

--

*** Rodrigo Martins de Matos Ventura <[email protected]>
*** Web page: http://www.isr.ist.utl.pt/~yoda
*** Teaching Assistant and PhD Student at ISR:
*** Instituto de Sistemas e Robotica, Polo de Lisboa
*** Instituto Superior Tecnico, Lisboa, PORTUGAL
*** PGP fingerprint = 0119 AD13 9EEE 264A 3F10 31D3 89B3 C6C4 60C6 4585
 
Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point
8) Please report back your results

Dave




|
| David> * * * Please report your results ! * * *
|
| McAfee AVERT WebImmune detected a virus in the winxp2.exe file:
| w32/sdbot.worm.gen.h.
|
| Cheers,
|
| Rodrigo
|
| --
 
Is this on a home computer or is it on a computer which is a member of a
domain? I am interested to see what kind of damage it might have done.
 
Back
Top