Educause Security Discussion mailing list archives
Re: Fwd: URGENT: bot net with keylogger
From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 12 Apr 2004 12:14:06 -0400
This may or may not be related. We found two machines exhibiting the described behavior and both had the following software on them. Process aim1.exe started by registry RUN entry. Located in \windows\system32. Listens on port 113. Prevents regitry editor, task manager, and netstat from opening. Renaming netstat allows it to run. Appears to modify or create info.htm in each AIM user's application data directory. Contents of info.htm contains a link to the aim1.exe program under name lmao.scr. Server is 64.147.162.75. You may want to monitor and block accesses to that address. Contents of info.htm: lol hey guys check out http://molotov.us/itr/lmao.scr for a good laugh :) Latest Symantec liveupdate definitions do not trip on file. We just put in new IDP systems over the weekend and several malformed IDENT signatures were tripping. Not sure if its related or not but you can bet I'm going to investigate. I just put attack signatures in watching for and blocking web accesses and AIM sessions with suspicious URLs. Two hits on the web site so far and none on the AOL sigs. -- Gary Flynn Security Engineer - Technical Services James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- URGENT: bot net with keylogger REN-ISAC (Apr 05)
- <Possible follow-ups>
- Re: URGENT: bot net with keylogger Doug Pearson (Apr 05)
- Re: Fwd: URGENT: bot net with keylogger Doug Pearson (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger T. Charles Yun (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Krulewitch, Sean (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Kathy Bergsma (Apr 09)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Eli Dart (Apr 13)