Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

New Virus/Trojan/...?

From: Jason Brooks <brooksje () LONGWOOD EDU>
Date: Mon, 4 Oct 2004 16:44:28 -0400
Beginning about 16:45 EDT on Sunday 3 Oct 2004, we began seeing high levels
of port scanning for port 445 from our students.  We have obtained one
laptop for analysis.  Here are our findings:

        Process Quicktimee.exe is opening numerous outbound connections to
destination port 445 (Note extra "e").
        The box is Win2K SP4, McAfee A/V (7.1) current definitions (4396).
        Updated A/V defs; scan - nothing
        AdAware/Spybot scan - nada
        Pulled down a few patches, but I don't know which ones were
installed (not preformed by the InfoSec Office)
        File only visible in Explorer.exe after selecting "Show Hidden Files
and Folders" and unchecking "Hide Protected Operating System Files".
        Fport showed that Quicktimee.exe was sitting in C:\WINNT\system32
directory.
        Called from the following Registry keys:
                HKU\SSID\Software\Microsoft\OLE\Norton Virus Definitions -
Quicktimee.exe
                HKLM\Software\Microsoft\Windows\Current Version\Run\Norton
Virus Definitions - Quicktimee.exe
        The file is about 86KB and no interesting strings in the binary.
        Admin account had no password.  However, File and Print Sharing was
off.

So, with that, does it look familiar to anyone?  McAfee doesn't know it, and
can't turn up anything seemingly related in Google, etc.

Suggestions/Help?

Thanks,
Jason Brooks

Jason Brooks
Information Security Technician
Longwood University
201 High Street
Farmville, VA 23909
(434) 395-2034
mailto:brooksje () longwood edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: