New virus - VERY DANGEROUS!

[Scott Bolander]

Nod32 does not know what it is, but sees it as a "Unknown win32 virus"
and it still stops it.

This virus replaces nearly ALL of the exe files on a machine with virus
infected files. Most AV products do not detect it; McAfee discovered it
yesterday.

This ended up on three machines yesterday at a client of mine; I had not
been out in quite a while (he is incredibly cheap) so all his stuff was
out of date or broken. His Norton AV would not have caught it anyway.


FYI:

AntiVir 6.31.0.9 07.14.2005 W32/Stanit
AVG 718 07.14.2005 Win32/Gaelicum.A
Avira 6.31.0.9 07.14.2005 W32/Stanit
BitDefender 7.0 07.14.2005 no virus found
CAT-QuickHeal 7.03 07.14.2005 no virus found
ClamAV devel-20050501 07.14.2005 no virus found
DrWeb 4.32b 07.14.2005 Win32.Gael.3666
eTrust-Iris 7.1.194.0 07.13.2005 no virus found
eTrust-Vet 11.9.1.0 07.14.2005 no virus found
Fortinet 2.36.0.0 07.14.2005 suspicious
F-Prot 3.16c 07.14.2005 could be infected with an unknown virus
Ikarus 2.32 07.14.2005 no virus found
Kaspersky 4.0.2.24 07.14.2005 Virus.Win32.Tenga.a
McAfee 4535 07.14.2005 W32/Gael
NOD32v2 1.1168 07.14.2005 probably unknown WIN32 virus
Norman 5.70.10 07.14.2005 no virus found
Panda 8.02.00 07.14.2005 no virus found
Sybari 7.5.1314 07.14.2005 W32/Gael
Symantec 8.0 07.13.2005 no virus found
TheHacker 5.8.2.070 07.13.2005 no virus found
VBA32 3.10.4 07.14.2005 no virus found

 

[David H. Lipman]

From: "Scott Bolander" <[email protected]>

| Nod32 does not know what it is, but sees it as a "Unknown win32 virus"
| and it still stops it.
|
| This virus replaces nearly ALL of the exe files on a machine with virus
| infected files. Most AV products do not detect it; McAfee discovered it
| yesterday.
|
| This ended up on three machines yesterday at a client of mine; I had not
| been out in quite a while (he is incredibly cheap) so all his stuff was
| out of date or broken. His Norton AV would not have caught it anyway.
|
| FYI:
|
| AntiVir 6.31.0.9 07.14.2005 W32/Stanit
| AVG 718 07.14.2005 Win32/Gaelicum.A
| Avira 6.31.0.9 07.14.2005 W32/Stanit
| BitDefender 7.0 07.14.2005 no virus found
| CAT-QuickHeal 7.03 07.14.2005 no virus found
| ClamAV devel-20050501 07.14.2005 no virus found
| DrWeb 4.32b 07.14.2005 Win32.Gael.3666
| eTrust-Iris 7.1.194.0 07.13.2005 no virus found
| eTrust-Vet 11.9.1.0 07.14.2005 no virus found
| Fortinet 2.36.0.0 07.14.2005 suspicious
| F-Prot 3.16c 07.14.2005 could be infected with an unknown virus
| Ikarus 2.32 07.14.2005 no virus found
| Kaspersky 4.0.2.24 07.14.2005 Virus.Win32.Tenga.a
| McAfee 4535 07.14.2005 W32/Gael
| NOD32v2 1.1168 07.14.2005 probably unknown WIN32 virus
| Norman 5.70.10 07.14.2005 no virus found
| Panda 8.02.00 07.14.2005 no virus found
| Sybari 7.5.1314 07.14.2005 W32/Gael
| Symantec 8.0 07.13.2005 no virus found
| TheHacker 5.8.2.070 07.13.2005 no virus found
| VBA32 3.10.4 07.14.2005 no virus found

Thanx for the info Scott.

Do tou know if Trend Micro detects it ?

If not, I have a liason at Trend I can submit it to.

 

[Virus Guy]

W32.Licum

https://www-secure.symantec.com/avcenter/venc/data/pf/w32.licum.html

Discovered on: July 13, 2005
Last Updated on: July 14, 2005 04:29:42 PM

When W32.Licum is executed, it performs the following actions:
Downloads the following files:


[http://]utenti.lycos.it/[REMOVED]/dl.exe
[http://]utenti.lycos.it/[REMOVED]/CBACK.EXE
[http://]utenti.lycos.it/[REMOVED]/GAELICUM.EXE

Note: At the time of writing, these files were not available.

Checks for a connection on the vx9.users.freebsd.at domain.

May infect files by appending its code to other executables.


Generates random list of IP addresses and attempts to spread by
exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun
Vulnerability (described in Microsoft Security Bulletin MS03-026)
through TCP port 139.

--------

How many ISP's are blocking ports 135 and 139? Not mine, judging by
my router's log files.

I wonder if DSL or cable modems can be remotely configured by the ISP
to block 135 and 139, or at least be shipped that way (?)

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| W32.Licum
|
| https://www-secure.symantec.com/avcenter/venc/data/pf/w32.licum.html
|
| Discovered on: July 13, 2005
| Last Updated on: July 14, 2005 04:29:42 PM
|
| When W32.Licum is executed, it performs the following actions:
| Downloads the following files:
|
| [http://]utenti.lycos.it/[REMOVED]/dl.exe
| [http://]utenti.lycos.it/[REMOVED]/CBACK.EXE
| [http://]utenti.lycos.it/[REMOVED]/GAELICUM.EXE
|
| Note: At the time of writing, these files were not available.
|
| Checks for a connection on the vx9.users.freebsd.at domain.
|
| May infect files by appending its code to other executables.
|
| Generates random list of IP addresses and attempts to spread by
| exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun
| Vulnerability (described in Microsoft Security Bulletin MS03-026)
| through TCP port 139.
|
| --------
|
| How many ISP's are blocking ports 135 and 139? Not mine, judging by
| my router's log files.
|
| I wonder if DSL or cable modems can be remotely configured by the ISP
| to block 135 and 139, or at least be shipped that way (?)

Modems no. Routers yes (some are dual modem Router/modem and can be placed in either Bridge
or Router mode).

As always, I suggest blocking both TCP and UDP ports 135 ~ 139 and 445 on *any* SOHO Router.

 

[Virus Guy]

| I wonder if DSL or cable modems can be remotely configured by
| the ISP to block 135 and 139, or at least be shipped that way(?)

Modems no.

So ISP's have no ability to stop port 135/137/139 traffic between
subscribers?

Even though that is one of the most common ways that vulnerable
systems get infected?

(they seem to have the ability to block port 445 because I never see
that in my logs)

Why haven't modems been shipped for the past few years with those
ports permenantly blocked (in or out-bound) ???

Wouldn't that have been easy, and stopped a lot of infections ???

 

[ComPCs]

As always, I suggest blocking both TCP and UDP ports 135 ~ 139 and 445 on *any* SOHO Router.

Is that ports 135 thru 139, or 135 and 139?

As I have a 'clean' machine, am I OK to just add an 'inbound' rule to my
router instead of also adding an outgoing - albeit I agree the latter
would be added protection to other users were my machine ever
compromised?

 

[Gabriele Neukam]

On that special day, Virus Guy, ([email protected]) said...

I wonder if DSL or cable modems can be remotely configured by the ISP
to block 135 and 139, or at least be shipped that way (?)

That doesn't make sense. If a router can be configured from outside, to
close a specific port, it can be configured, too, to re-open that same
port, or even some more.

Some ISPs block all traffic from dialup users on port 25, to keep the
mail worms and the mass mailings from spreading their stuff. But that
happens on server level.

A modem cannot open or close ports, as it doesn't have any. Basically,
a modem is a beeper that converts data into sounds, and back, in order
to transport those data over the phone.

And ports aren't specific wires which are attached or detached. They
are rather agreements on how to contact each other, while other traffic
is on the way, too. Kind of "I can hear you in this party, because you
have a voice that is lower than most in the crowd".


Gabriele Neukam

(e-mail address removed)

 

[Pablo Guildenstern]

That doesn't make sense. If a router can be configured from outside, to
close a specific port, it can be configured, too, to re-open that same
port, or even some more.

Some can. It's handy for the techies. It has to be specifiaclly
configured to allow it, usually, I think. I know a bloke who
used to work for Cisco... I'll check with him.

 

[David H. Lipman]

From: "ComPCs" <[email protected]>

| In article <xMGBe.3947$WA4.2712@trndny04>, [email protected]
| ...
||
| Is that ports 135 thru 139, or 135 and 139?
|
| As I have a 'clean' machine, am I OK to just add an 'inbound' rule to my
| router instead of also adding an outgoing - albeit I agree the latter
| would be added protection to other users were my machine ever
| compromised?

That's the range of TCP and UDP ports 135 ~ 139. It is best to block both inbound and
outbound.

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| "David H. Lipman" wrote:
|
|>> I wonder if DSL or cable modems can be remotely configured by
|>> the ISP to block 135 and 139, or at least be shipped that way(?)|
| So ISP's have no ability to stop port 135/137/139 traffic between
| subscribers?
|
| Even though that is one of the most common ways that vulnerable
| systems get infected?
|
| (they seem to have the ability to block port 445 because I never see
| that in my logs)
|
| Why haven't modems been shipped for the past few years with those
| ports permenantly blocked (in or out-bound) ???
|
| Wouldn't that have been easy, and stopped a lot of infections ???

It is not that they can't, they are reluctant do do so. It will vary from ISP to ISP. For
example, Verizon blocks incoming TCP port 80 to residential customers in former Bellatlantic
regions. Comacast may be blocking NetBIOS over IP.

Modems are not layer 3 devices. They don't filter protocols. They work on Layer 1 or Layer
2 of the OSI model.

Manufacturers will NOT have permanent blocks on ports simply because that will reduce the
functionality of the devices in applications where the protocol passage is desirable.

 

[David H. Lipman]

From: "Gabriele Neukam" <[email protected]>

| On that special day, Virus Guy, ([email protected]) said...
||
| That doesn't make sense. If a router can be configured from outside, to
| close a specific port, it can be configured, too, to re-open that same
| port, or even some more.
|
| Some ISPs block all traffic from dialup users on port 25, to keep the
| mail worms and the mass mailings from spreading their stuff. But that
| happens on server level.
|
| A modem cannot open or close ports, as it doesn't have any. Basically,
| a modem is a beeper that converts data into sounds, and back, in order
| to transport those data over the phone.
|
| And ports aren't specific wires which are attached or detached. They
| are rather agreements on how to contact each other, while other traffic
| is on the way, too. Kind of "I can hear you in this party, because you
| have a voice that is lower than most in the crowd".
|
| Gabriele Neukam
|
| (e-mail address removed)
|
| --
| Ah, Information. A property, too valuable these days, to give it away,
| just so, at no cost.

You describe Frquency Shift Keying (FSK) used on older DUN modems. However, in the case of
DSL and Cable modems they are NOT true modems (MODulators/DEModulators) and are network
bridges.

 

[ComPCs]

From: "ComPCs" <[email protected]>

| In article <xMGBe.3947$WA4.2712@trndny04>, [email protected]
| ...
|
|
| Is that ports 135 thru 139, or 135 and 139?
|
| As I have a 'clean' machine, am I OK to just add an 'inbound' rule to my
| router instead of also adding an outgoing - albeit I agree the latter
| would be added protection to other users were my machine ever
| compromised?

That's the range of TCP and UDP ports 135 ~ 139. It is best to block both inbound and
outbound.

ah, thanks ... i'll amend the rule I currently have in place

 

[Bart Bailey]

Some ISPs block all traffic from dialup users on port 25, to keep the
mail worms and the mass mailings from spreading their stuff. But that
happens on server level.

I had a go awhile back with my ISP when they arbitrarily decided to
block p25 without as much as a notification to subscribers, I had
noticed an offshore POP3 account ceased to function for email sending,
and ultimately discovered that it was SBC's fault. I informed them that
if my level of service and access wasn't restored to what I had
originally contracted for, the next sound they heard would likely be
from an attorney, who would also inform them of my new email address
with Earthlink, since DSL was now available to me from Earthlink using
SBC's wires, (how 'bout that).
BTW: I had p25 access back in under two hours.

 

[ComPCs]

BTW: I had p25 access back in under two hours.

Another thing the world has to 'thank' the USA for ... litigation.

*sigh*

 

[Bart Bailey]

Another thing the world has to 'thank' the USA for ... litigation.

*sigh*

....or at least the threat/promise of it,
otherwise I would have had no sway with a huge American corporation
staffed by "compassionate conservatives"

 

[Virus Guy]

That doesn't make sense. If a router can be configured from
outside, to close a specific port, it can be configured, too,
to re-open that same port, or even some more.

Not necessarily. First, I'm not talking about a "router". I'm
talking about the modem (ie the thing that is almost always supplied
by the ISP that gives you access to their network). These modems can
be set up (theoretically) to accept external commands only from
specific IP addresses (ie IP addresses owned by and specified by the
ISP). Commands coming from the subscriber's own computer would be
ignored.

If the ISP can indeed communicate securely with the modem (which
almost always the ISP supplied to the subscriber, and which the ISP
orders in bulk from specific manufacturer according to it's
specifications) then the modem could, in theory, perform out-bound
packet blocking on a port-by-port basis. There ARE certain ports that
the ISP I'm sure would love to block at the modem level, such as ports
135/137/139/445 and 25. By blocking port 25 on a specific modem (or
ALL subscriber modems) then the computers belonging to those
subscribers would NOT BE ABLE to send spam directly from themselves to
the target or destination server (which is how the vast vast vast
majority of spam is sent from computers that are infected with
back-door access programs).

Some ISPs block all traffic from dialup users on port 25, to keep
the mail worms and the mass mailings from spreading their stuff.

If that block happened at the modem, then that port-25 junk wouldn't
even get on the network, take up bandwidth, etc.

But that happens on server level.

Technically it would have to happen at the gate-way level. There is
no "server" involved when an infected home computer starts sending
spam directly to various destinations on the internet.

A modem cannot open or close ports, as it doesn't have any.

But it does receive TCP/IP packets from your computer (or from your
computer via your intermediate router). Before it turns those TCP
packets into electronic signals to send over the copper wires, it
could perform filtering on specific packet types - ie it could simply
drop packets addressed to ports 135/137/139 (both in-bound and
out-bound) and port 25 (out-bound).

Basically, a modem is a beeper that converts data into sounds,
and back, in order to transport those data over the phone.

I believe that the modems have an internal understanding of TCP/IP
packet structure and parsing because that's how they receive date from
and send it back to the subscriber's computer.

 

[Virus Guy]

Manufacturers will NOT have permanent blocks on ports simply
because that will reduce the functionality of the devices in
applications where the protocol passage is desirable.

But when it comes to residential internet access, where ISP's make
bulk purchases of modems to distribute to customers, don't the ISP's
have a large ability to specify port-blocking capability that is
tailored to (and which makes ->SENSE<-) to the needs of such a
network?

Is there any legit (and secure) use of ports 135/137/139/445 on a
residential network? Do ISP's use (or think they CAN use) those ports
(now, or in the future) ???

The continued ability for port 135/137/139 traffic to travel inside a
residential network has got to be far more trouble (for ISP's) than
blocking them would ever cause. Or maybe my ISP (sympatico) is one of
a very few that allow such traffic?

 

[ComPCs]

...or at least the threat/promise of it,
otherwise I would have had no sway with a huge American corporation
staffed by "compassionate conservatives"

Do you not have choice in the USA?

We do pretty much, here in the UK. Don't like a provider, tell them to
sling their hook and go buy someone else's service.

Is american culture such that you place litigation before choice?

 

[David W. Hodgins]

specifications) then the modem could, in theory, perform out-bound
packet blocking on a port-by-port basis. There ARE certain ports that
the ISP I'm sure would love to block at the modem level, such as ports
135/137/139/445 and 25. By blocking port 25 on a specific modem (or
ALL subscriber modems) then the computers belonging to those

You are correct. You got my curiosity up, so I did some digging. Docsis
compliant modems conform to http://www.ietf.org/rfc/rfc2669.txt which
include "3.3.1. Inbound LLC Filters - docsDevFilterLLCTable". Inbound
in this case, means into the modem, from either side. It can be used
to drop netbuei packets, for example.

In the case of port 25 outbound, if it were blocked at the modem, how
would the customer connect to the service providers smtp server? I
currently use port 25 to connect to rogers server, but they have now
blocked all outbound port 25 traffic, past their routers.

For netbuei, they could drop the packets going in/out on the cable side,
while still allowing the packets on the lan side of the modem. In my
opinion, they should!

Regards, Dave Hodgins

 

[Virus Guy]

You are correct. You got my curiosity up, so I did some digging.
Docsis compliant modems conform to
http://www.ietf.org/rfc/rfc2669.txt which include "3.3.1. Inbound
LLC Filters - docsDevFilterLLCTable". Inbound in this case,
means into the modem, from either side. It can be used to drop
netbuei packets, for example.

I didn't think that netbuei needed specific blocking (because it
isin't routable) ?

In the case of port 25 outbound, if it were blocked at the modem,
how would the customer connect to the service providers smtp
server?

Yes, I guess I was applying the "block-at-the-modem" strategy a little
too far for port 25.

Such blocking *should be* done at the network gateway by ISP's, and
some claim to do so, but I still get spam (ie port-25 traffic) from
the residential IP space of big players like comcast, road runner,
charter, shaw, etc, on my SMTP server at work.

I currently use port 25 to connect to rogers server, but they
have now blocked all outbound port 25 traffic, past their
routers.

Which is a good thing. Do they do it to be better net.citizens, or to
keep out of various e-mail black lists?

For netbuei, they could drop the packets ...

Do you mean netbuei, or netbios (ports 135/137/139/445) ???

Netbuei (which I prefer for internal file sharing on small networks)
is not even part of the ordinary XP installation (it can be done, but
it takes a bit of extra work). For the vast vast majority of home
PC's (that run XP) they will not have netbuei as an installed
protocal.

going in/out on the cable side, while still allowing the
packets on the lan side of the modem. In my
opinion, they should!

Well, like I said in another part of this thread, Sympatico is either
unwilling or unable to (remotely) configure subscriber modems to block
the netbios ports (because I see connection attempts on those ports
hitting my router all the time from IP addresses within the sympatico
IP address range). If you have a similar router setup on Rogers,
your logs would tell you if such port activity was there - or not.

Something else to think about - it could be that there are groups of
people (ie teenagers, hackers, file-sharers) that use the netbios
ports to connect to each-others computers and share files (presumably
as long as they all subscribe to the same ISP). Assuming there is
such a phenomena (and I have yet to read about it), such a private
file-sharing network would be invisible to organizations like the RIAA
or other such copyright-holders. ISP's would have to weigh the
benefits of retaining netbios transport across their network (and
thereby retain these file-sharing customers) against the resulting
vulnerability to unprotected systems by allowing netbios traffic.