Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3

From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 07/10/04

  • Next message: Peter Bates: "Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3"
    To: "Humes, David  G." <David.Humes@jhuapl.edu>, <incidents@securityfocus.com>
    Date: Sat, 10 Jul 2004 13:38:46 -0500
    
    

    ----- Original Message -----
    From: "Humes, David G." <David.Humes@jhuapl.edu>
    To: <incidents@securityfocus.com>
    Sent: Friday, July 09, 2004 2:01 PM
    Subject: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from
    67.109.249.3

    > Starting around July 8th we noticed workstations trying to access
    > 67.109.249.3 on port 80 and do a
    >
    > GET /download/IEService215.chm HTTP/1.1
    >
    > Analysis of the users' browsing activity did not reveal any pattern that
    > would suggest that the activity was user-initiated. We suspect that this
    is
    > something trying to "phone home", but not sure quite what. A reverse
    lookup
    > of the IP just returns 67.109.249.3.ptr.us.xo.net, and whois just tells me
    > that it belongs to XO. Has anyone else seen this and know what it is?
    >
    After consulting with some experts, the chm file is VBS\Psyme and it
    downloads IEService215.exe from the same site. *That* file is
    Trojan.Win32.StartPage.kf. Your computers are infected. I'm sending
    samples of both the chm file and the exe to the AV vendors, and I've
    notified XO's abuse address to take the host offline.

    Thanks to both Blue Boar and Joe Stewart for their help with this.

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu/~pauls/


  • Next message: Peter Bates: "Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3"