Re: Fwd: URGENT: bot net with keylogger

[Gary Flynn <flynngn () JMU EDU>]

This may or may not be related. We found two machines
exhibiting the described behavior and both had the
following software on them.

Process aim1.exe started by registry RUN entry.
Located in \windows\system32.

Listens on port 113.

Prevents regitry editor, task manager, and
netstat from opening. Renaming netstat allows
it to run.

Appears to modify or create info.htm in each AIM
user's application data directory.

Contents of info.htm contains a link to the aim1.exe
program under name lmao.scr. Server is 64.147.162.75.
You may want to monitor and block accesses to that
address.

Contents of info.htm:

   lol hey guys check out http://molotov.us/itr/lmao.scr
   for a good laugh :)

Latest Symantec liveupdate definitions do not
trip on file.

We just put in new IDP systems over the weekend and
several malformed IDENT signatures were tripping.
Not sure if its related or not but you can bet I'm
going to investigate. I just put attack signatures
in watching for and blocking web accesses and AIM
sessions with suspicious URLs. Two hits on the web
site so far and none on the AOL sigs.

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.