Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3

From: Ronaldo C Vasconcellos (ronaldo_at_cais.rnp.br)
Date: 07/11/04

Next message: Paul Schmehl: "Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3"

Previous message: Frank Knobbe: "Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)"
In reply to: Humes, David G.: "Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3"
Next in thread: Paul Schmehl: "Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 11 Jul 2004 10:37:30 -0300 (BRST)
To: incidents@securityfocus.com

On Fri, 9 Jul 2004, Humes, David G. wrote:

> Starting around July 8th we noticed workstations trying to access
> 67.109.249.3 on port 80 and do a
>
> GET /download/IEService215.chm HTTP/1.1
>
> Analysis of the users' browsing activity did not reveal any pattern that
> would suggest that the activity was user-initiated. We suspect that this is
> something trying to "phone home", but not sure quite what. A reverse lookup
> of the IP just returns 67.109.249.3.ptr.us.xo.net, and whois just tells me
> that it belongs to XO. Has anyone else seen this and know what it is?

A few more info about this file:

. File type: MS Windows HtmlHelp Data (according to the latest version of
file[1])
. MD5 checksum is e47db712c8684bd5be91de20e6650993
. Identified as TrojanDownloader.VBS.Psyme.ak by Kaspersky 3.0 and Sybari
7.5.1314 (thanks to virustotal.com).

PestPatrol - TrojanDownloader.VBS.Psyme
http://www.pestpatrol.com/pestinfo/t/trojandownloader_vbs_psyme.asp

Symantec Security Response - Downloader.Psyme
http://securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html

Ronaldo

[1] file - determine file type
ftp://ftp.astron.com/pub/file/

Next message: Paul Schmehl: "Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3"

Previous message: Frank Knobbe: "Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)"
In reply to: Humes, David G.: "Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3"
Next in thread: Paul Schmehl: "Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Midi and Wav file wont play
... David, try the experts at ... > I have tried everything as you suggested and also uninstalled Real Player ... > made Window Media Player the default player. ... >> partial ownership of the file type. ...
(microsoft.public.windowsxp.general)
Re: Registerprincipinställningen?
... David - here's a link to the solution in Swedish ... Sandy - you did understand perfectly! ... "You are attempting to open a file type that is blocked by your registry ... Du försöker spara en filtyp som blockeras av ...
(microsoft.public.powerpoint)
Re: setup associate application with file type
... I have tried it but the "Always" checkbox is disabled. ... In which, client user is ... David ... >> I can not change the associated application with file type. ...
(microsoft.public.dotnet.framework.aspnet)
RE: power point viewer, sp2
... published any stats on post SP2 install malfunctions? ... "david" wrote: ... > panel/folder types and create an association. ... > power point is still shown as the program for that file type and the file ...
(microsoft.public.windowsxp.help_and_support)
RE: exporting report from Access to Excel
... switch the file type to excel ... "David" wrote: ... we're brand new users of Access. ...
(microsoft.public.access.externaldata)