Educause Security Discussion mailing list archives
Re: Am I the only one?
From: Are Leif Garn}sjordet <a.l.garnasjordet () USIT UIO NO>
Date: Wed, 14 Apr 2004 19:54:32 +0200
On Wed, 14 Apr 2004, Helms, Sandra wrote:
Hi there - we are being hit with this and are being swamped trying to locate instances of the worm. Do you scan machines for windows and virus updates? If so, what products(s) do you use? This is something we have not seriously considered before; however, this new batch of worms are insidious and users have not noticed ill-effects so they are not reporting it.
We have also been hit by variants of this worm and haven't been able to detect it with f-secure or sophos. We found a sample and submitted it to f-secure, they told us it was a variant of SDbot. We found the file C:\WINNT\system32\ceyizpn.exe with lots of tcp-connections, but suspect a random generated filename. It port scans 135, 139, 445, 1025, 3127, 3410, 5000 and 6129. Looking at the file with bintext shows it is awfully like AgoBot/GaoBOt as others have reported about. We find infected machines from our router logs and from our honeypot/tarpit. A not to complicated solution is Labrea, http://labrea.sourceforge.net/. And report our logs to dshield.org as a part of the fight back initiative. /ArG USIT/CITS Center for Information Technology Services, University of Oslo
-----Original Message----- From: Mark Wilson [mailto:wilsodm () AUBURN EDU] Sent: Wednesday, April 14, 2004 10:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Am I the only one? We have seen this extensively on our network. It is the AgoBot/GaoBOt worm/trojan or varient. It also goes by the name polybot. Nasty little booger. It installs a backdoor and scans for "blank" or weak admin passwords, various MS vulnerabilities, and DameWare (port 6129) weaknesses. It kills most anti-virus processes/programs. Seems to be particularly bad on University networks. If you do an nmap scan, you will find high ports open. Most times when you telnet into the trojan port (BTW, it changes on each infection), you will get: 220 Bot Server (Win32) It has remote command and DOS functionality. Useful Links: http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V Name=WORM_AGOBOT.HN&VSect=T http://vil.nai.com/vil/content/v_101100.htm http://www.lurhq.com/phatbot.html http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.ul.ht ml Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347jim.pollard () MAIL UTEXAS EDU 4/14/2004 9:50:18 AM >>>Or did I miss it on Bugtraq? Recently I've noticed a scan pattern in my logs and wonder if anyone might recognize it as either a known virus or some kiddie scanning tool looking for virus backdoors? There are some variations... occasionally port 80 and 8080 are included. Service: 1025 (tcp/1025) (net2fw:DROP:,eth1,none) - 2 packets (take your pick... either network blackjack or an assortment of viruses and backdoors) Service: 2745 (tcp/2745) (:net2fw:DROP:,eth1,none) - 2 packets (Beagle virus) Service: 3127 (tcp/3127) (:net2fw:DROP:,eth1,none) - 2 packets (MyDoom virus) Service: 6129 (tcp/6129) (net2fw:DROP:,eth1,none) - 3 packets (W32.Mockbot) also Dameware Thanks! Jim ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Am I the only one? Jim Pollard (Apr 14)
- <Possible follow-ups>
- Re: Am I the only one? Mark Wilson (Apr 14)
- Re: Am I the only one? Dan Jones (Apr 14)
- Re: Am I the only one? Helms, Sandra (Apr 14)
- Re: Am I the only one? Jim Pollard (Apr 14)
- Re: Am I the only one? Are Leif Garn}sjordet (Apr 14)
- Re: Am I the only one? Kathy Bergsma (Apr 14)
- Re: Am I the only one? Mark Wilson (Apr 14)
- Re: Am I the only one? Jason Richardson (Apr 14)