Re: Am I the only one?

[Are Leif Garn}sjordet <a.l.garnasjordet () USIT UIO NO>]

On Wed, 14 Apr 2004, Helms, Sandra wrote:

> Hi there - we are being hit with this and are being swamped trying to
> locate instances of the worm.  Do you scan machines for windows and
> virus updates?  If so, what products(s) do you use?  This is something
> we have not seriously considered before; however, this new batch of
> worms are insidious and users have not noticed ill-effects so they are
> not reporting it.

We have also been hit by variants of this worm and haven't been able to
detect it with f-secure or sophos. We found a sample and submitted it to
f-secure, they told us it was a variant of SDbot. We found the file
C:\WINNT\system32\ceyizpn.exe with lots of tcp-connections, but suspect a
random generated filename. It port scans 135, 139, 445, 1025, 3127, 3410,
5000 and 6129.  Looking at the file with bintext shows it is awfully like
AgoBot/GaoBOt as others have reported about.

We find infected machines from our router logs and from our honeypot/tarpit.
A not to complicated solution is Labrea, http://labrea.sourceforge.net/.
And report our logs to dshield.org as a part of the fight back initiative.

/ArG
USIT/CITS  Center for Information Technology Services, University of Oslo


> -----Original Message-----
> From: Mark Wilson [mailto:wilsodm () AUBURN EDU]
> Sent: Wednesday, April 14, 2004 10:25 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Am I the only one?
>
>
> We have seen this extensively on our network.  It is the AgoBot/GaoBOt
> worm/trojan or varient.  It also goes by the name polybot.  Nasty little
> booger.  It installs a backdoor and scans for "blank" or weak admin
> passwords, various MS vulnerabilities, and DameWare (port 6129)
> weaknesses.  It kills most anti-virus processes/programs. Seems to be
> particularly bad on University networks.
>
> If you do an nmap scan, you will find high ports open.  Most times when
> you telnet into the trojan port (BTW, it changes on each infection), you
> will get: 220 Bot Server (Win32)
>
> It has remote command and DOS functionality.
> Useful Links:
> http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V
> Name=WORM_AGOBOT.HN&VSect=T
>
> http://vil.nai.com/vil/content/v_101100.htm
> http://www.lurhq.com/phatbot.html
> http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.ul.ht
> ml
>
>
>
> Mark Wilson
> GCIA, CISSP #53153
> Network Security Specialist
> Auburn University
> (334) 844-9347
>
> > > > jim.pollard () MAIL UTEXAS EDU 4/14/2004 9:50:18 AM >>>
> Or did I miss it on Bugtraq?  Recently I've noticed a scan pattern in my
> logs and wonder if anyone might recognize it as either a known virus or
> some kiddie scanning tool looking for virus backdoors?  There are some
> variations... occasionally port 80 and 8080 are included.
>
> Service: 1025 (tcp/1025) (net2fw:DROP:,eth1,none) - 2 packets (take your
> pick... either network blackjack or an assortment of viruses and
> backdoors)
>          Service: 2745 (tcp/2745) (:net2fw:DROP:,eth1,none) - 2 packets
> (Beagle virus)
>          Service: 3127 (tcp/3127) (:net2fw:DROP:,eth1,none) - 2 packets
> (MyDoom virus)
>          Service: 6129 (tcp/6129) (net2fw:DROP:,eth1,none) - 3 packets
> (W32.Mockbot) also Dameware
>
>
> Thanks!
>
> Jim
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.