New virus outbreak.

From: Danny (Danny@drexel.edu)
Date: 03/07/03

Next message: Andy Shelley: "new ddos client?"

Previous message: Bennett Todd: "Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: Dave Duke: "RE: New virus outbreak."
Reply: Dave Duke: "RE: New virus outbreak."
Maybe reply: Danny: "RE: New virus outbreak."
Maybe reply: Harlan Carvey: "re: New virus outbreak."
Maybe reply: Danny: "RE: New virus outbreak."
Maybe reply: KoRe MeLtDoWn: "RE: New virus outbreak."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Danny <Danny@drexel.edu>
To: "'intrusions@incidents.org'" <intrusions@incidents.org>
Date: Fri, 7 Mar 2003 17:42:05 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Guys,
We have been alerted to a virus outbreak by one of our sister networks that appears to be new and undetected by Norton AV and is mis-detected by McAfee. McAfee detects this virus as backdoor-jz but is unable to clean the virus. Sorry I don't have a whole lot of details on this yet but here is a list of the files running on infected systems.

>
> These are the virus processes that we've seen running:
>
> cbnegs.exe
> Winlogon .exe
> sjhdyl.exe
> kbld.exe
> duckduck.exe
> explorer .exe
> ~xxxxx
> oocfwm.exe
> gwigsb.exe
> jkexnj.exe
> lknq.exe
> kjnj.exe

The virus appears to infect Windows hosts regardless of the OS version. It appears to alter the start menu items of infected hosts and makes them look garbled. At this time I don't know how this virus is spreading but I will let you know if I find out, none of the hosts I have access to are currently infected but it appears to be spreading through our sister network pretty quickly.

Has anyone seen anything like this? Or recognize the signature maybe?

Any info would be greatly appreciated.

Cheers
Danny
Network Security Engineer
Drexel University
PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0
PGP Key: http://akasha.irt.drexel.edu/danny.asc

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPmkhA2b1zPz07fHgEQItBwCbBxNG2j/HPrqgwAfoyZhMy4CXvp0AoMqM
fACTSk3u63sEDW+okA5XssUL
=D2mI
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Andy Shelley: "new ddos client?"

Previous message: Bennett Todd: "Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: Dave Duke: "RE: New virus outbreak."
Reply: Dave Duke: "RE: New virus outbreak."
Maybe reply: Danny: "RE: New virus outbreak."
Maybe reply: Harlan Carvey: "re: New virus outbreak."
Maybe reply: Danny: "RE: New virus outbreak."
Maybe reply: KoRe MeLtDoWn: "RE: New virus outbreak."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]