RE: New virus outbreak.
From: KoRe MeLtDoWn (koremeltdown@hotmail.com)
Date: 03/10/03
- Previous message: james: "Re: Real-world attacks on sendmail CA-2003-07 seen"
- Maybe in reply to: Danny: "New virus outbreak."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "KoRe MeLtDoWn" <koremeltdown@hotmail.com> To: dave.duke@cryptic.co.uk, Danny@drexel.edu, incidents@securityfocus.com Date: Mon, 10 Mar 2003 20:30:45 +0000
Hi Dave,
If you have some time why not just make one up on an isolated box (that is,
that has no internet connection and no lan network connection - it should be
the only computer within its network). This way your ensuring the best
results. If undetected virii was what your looking for, thats probibly the
most effective way to go :)
Kind regards,
Hamish Stanaway
-= KoRe WoRkS =- Internet Security
Owner/Operator
Auckland
New Zealand
Is your box REALLY secure?
>From: "Dave Duke" <dave.duke@cryptic.co.uk>
>Reply-To: <dave.duke@cryptic.co.uk>
>To: "'Danny'" <Danny@drexel.edu>, <incidents@securityfocus.com>
>Subject: RE: New virus outbreak.
>Date: Fri, 7 Mar 2003 23:39:34 -0000
>MIME-Version: 1.0
>Received: from outgoing3.securityfocus.com ([205.206.231.27]) by
>mc8-f22.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, 10 Mar
>2003 10:16:38 -0800
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid
>3B455A30B1; Mon, 10 Mar 2003 10:06:13 -0700 (MST)
>Received: (qmail 18824 invoked from network); 7 Mar 2003 23:33:09 -0000
>X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
>Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <incidents.list-id.securityfocus.com>
>List-Post: <mailto:incidents@securityfocus.com>
>List-Help: <mailto:incidents-help@securityfocus.com>
>List-Unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:incidents-subscribe@securityfocus.com>
>Delivered-To: mailing list incidents@securityfocus.com
>Delivered-To: moderator for incidents@securityfocus.com
>Organization: Cryptic
>Message-ID: <000501c2e502$d34ed750$b893bd3e@cryptic.co.uk>
>X-Priority: 1 (Highest)
>X-MSMail-Priority: High
>X-Mailer: Microsoft Outlook, Build 10.0.4510
>In-Reply-To:
><E67283CC1C441B4F9894595F00D9EA4213FD5D41@EXCHANGE1.drexel.edu>
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>Importance: High
>Return-Path:
>incidents-return-5171-koremeltdown=hotmail.com@securityfocus.com
>X-OriginalArrivalTime: 10 Mar 2003 18:16:38.0224 (UTC)
>FILETIME=[310E7500:01C2E731]
>
>I would be interested as a security person to test these viri against
>cybersight, does anyone have some examples of un-detected viri?
>
>
>Dave
>
>-----Original Message-----
>From: Danny [mailto:Danny@drexel.edu]
>Sent: 07 March 2003 22:42
>To: 'intrusions@incidents.org'
>Cc: 'incidents@securityfocus.com'
>Subject: New virus outbreak.
>
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>Hey Guys,
> We have been alerted to a virus outbreak by one of our sister
>networks that appears to be new and undetected by Norton AV and is
>mis-detected by McAfee. McAfee detects this virus as backdoor-jz but is
>unable to clean the virus. Sorry I don't have a whole lot of details on
>this
>yet but here is a list of the files running on infected systems.
>
> >
> > These are the virus processes that we've seen running:
> >
> > cbnegs.exe
> > Winlogon .exe
> > sjhdyl.exe
> > kbld.exe
> > duckduck.exe
> > explorer .exe
> > ~xxxxx
> > oocfwm.exe
> > gwigsb.exe
> > jkexnj.exe
> > lknq.exe
> > kjnj.exe
>
>The virus appears to infect Windows hosts regardless of the OS version. It
>appears to alter the start menu items of infected hosts and makes them look
>garbled. At this time I don't know how this virus is spreading but I will
>let you know if I find out, none of the hosts I have access to are
>currently
>infected but it appears to be spreading through our sister network pretty
>quickly.
>
>Has anyone seen anything like this? Or recognize the signature maybe?
>
>Any info would be greatly appreciated.
>
>Cheers
>Danny
>Network Security Engineer
>Drexel University
>PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0 PGP Key:
>http://akasha.irt.drexel.edu/danny.asc
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 8.0
>
>iQA/AwUBPmkhA2b1zPz07fHgEQItBwCbBxNG2j/HPrqgwAfoyZhMy4CXvp0AoMqM
>fACTSk3u63sEDW+okA5XssUL
>=D2mI
>-----END PGP SIGNATURE-----
>
>----------------------------------------------------------------------------
>
><Pre>Lose another weekend managing your IDS?
>Take back your personal time.
>15-day free trial of StillSecure Border Guard.</Pre>
><A href="http://www.securityfocus.com/stillsecure">
>http://www.securityfocus.com/stillsecure </A>
>
>
>
>
>
>
>----------------------------------------------------------------------------
>
><Pre>Lose another weekend managing your IDS?
>Take back your personal time.
>15-day free trial of StillSecure Border Guard.</Pre>
><A href="http://www.securityfocus.com/stillsecure">
>http://www.securityfocus.com/stillsecure </A>
>
>
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: james: "Re: Real-world attacks on sendmail CA-2003-07 seen"
- Maybe in reply to: Danny: "New virus outbreak."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
