Re: is there a new virus?

["Robert J. Liebsch" <rliebsch () stoneyamashita com>]

I just cleaned a friends computer. Guess what? You may be running mirc and an
ftp server already!

Look for a file called rmtcfg.exe. Don't bother looking in your task manager
or you mgmnt console. Part of the startup script is written to run the
process invisibly. The server/log files et al ate 2gb of this persons drive.

I found it in the screen savers directory and in the sys32 directory.

I did some nmapping against the host while the servers were running. Looked
like nothing was running. It disables Zone alarm. It likely will disable
antivirus sw. Oh, the ftp server is ssl enabled.

I didn't do any forensic work on the log files. You have to remove the
directories with the exe and its replicating clone. Then reboot and delete
the leftovers. The health chechs and ini files will not be deleted while the
servers are running. 

Of course you may not have seen what I saw.
--------------------------
Robert Liebsch, I.T. 
Stone Yamashita Partners
via BlackBerry

SY[P]
Stone Yamashita Partners,
San Francisco

-----Original Message-----
From: Benjamin Meade <ben () lanwest com au>
To: full-disclosure () lists netsys com <full-disclosure () lists netsys com>
Sent: Thu Jun 19 01:49:35 2003
Subject: RE: [Full-disclosure] is there a new virus?

Got his from Sans this morning.

--New Trojan Spreading
(10/13 June 2003)
Researchers believe a new, "third-generation Trojan horse" program is
infecting machines on the Internet.  While the details of the Trojan's
actions are not complete, what is known is that it scans random IP
addresses and probes with a TCP SYN request with window size of 55808.
It can also spoof the IP addresses of the packets it sends.  It is
capable of scanning 90% of the Internet's IP addresses in a 24-hour
period. http://www.eweek.com/print_article/0,3668,a=43352,00.asp
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&;
story.id=22371

Maybe whats going on. My firewall logs are getting filled up as well.

Benjamin Meade
System Administrator
LanWest Pty Ltd

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Philip
Stortz
Sent: Thursday, 19 June 2003 3:27 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] is there a new virus?

is there a new virus out there or an old one spreading like wild fire?
i've been getting a huge number of attempts to initiate a "netbios"
session, from ip's all over the place.  i'm on a slow dialup with a
dynamic ip, and i got attempts from over 2 dozen ip #'s in just a few
hours of use over several sessions with different ip's.  since i use a
mac, they aren't too much of a problem, except that they greatly slow
things down and sometimes do crash programs.  i've been putting all the
offending machines in the stop list of my firewall, but the shear volume
and ferocity of these attempts is amazing.  some of them try 3 or 6
times in rapid succession, and repeat every few minutes.  i've been
seeing a lot more incursion attempts on other ports as well.  i'm very
curious about what's going on, and i suspect that many machines out
there are being infected and that the netbios session is just the
beginning of a virus that will do something else once it's co-opted
enough machines,!
  i.e. a DOS attack or something else nasty (or if it continues to grow,
just a traffic jam on the back bone).  has any one heard of something
new or old coming back?  sometimes they start when i've just dialed in
and downloaded my email before surfing beyond my isp at all, so they
must just be hunting for machines, aggressively.

along the same lines, there's a machine at 12.247.15.226 that's been
randomly throwing packets at me (and likely many "random" addresses)
several times a day.  i've complained and asked for an explanation (no
one else out there seems to find it necessary to randomly talk all the
time) of what's going on and why.  any information would be appreciated,
if nothing else so i know why this is being done.  that domain belongs
to at&t, so i guess it might be some kind of diagnostic scan, but it's
certainly obnoxious, and i have blocked that ip as well.  i block any ip
that tries to talk to me before i talk to them, there are no servers
here obviously and all traffic slows down my connection and occasionally
causes problems (doubtless some of the problems are with how my isp
handles the traffic... and some may be stack overflows or other faults).
these communication attempts (unfortunately my current firewall doesn't
save the packets so i can't really tell what's happening) often o!
 ccur several times in a few seconds, and happen several times a day (or
even several times in an hour).  they are sometimes netbios sessions,
but usually on port 1214, which apparently is used by some
viruses/worms/trojans.  i'd really, really like to know what's going on,
and as you'd expect att has been useless and failed to even respond.

any help/explanation of either of these problems would be greatly
appreciated.

-- 
philip stortz -- To be nobody but yourself when the whole world is
trying its best night and day to make you everybody else is to fight the
hardest battle any human being will ever fight. -- ee cummings
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html