Security Incidents mailing list archives
Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3
From: Matthew Jonkman <matt () infotex com>
Date: Mon, 12 Jul 2004 10:47:07 -0500
Crude snort rule to catch it:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BLEEDING-EDGE VIRUS Psyme Trojan Download"; uricontent:"/download/IEService215.chm"; nocase; sid:2000365; rev:1; )
Updates to it will be at www.bleedingsnort.com Matt Axel Pettinger wrote:
"Humes, David G." wrote:Starting around July 8th we noticed workstations trying to access 67.109.249.3 on port 80 and do a GET /download/IEService215.chm HTTP/1.1Analysis of the users' browsing activity did not reveal any pattern that would suggest that the activity was user-initiated. We suspect that this is something trying to "phone home", but not sure quite what. A reverse lookup of the IP just returns 67.109.249.3.ptr.us.xo.net, and whois just tells me that it belongs to XO. Has anyone else seen this and know what it is?The CHM file is according to Kaspersky a trojan downloader called "TrojanDownloader.VBS.Psyme.ak". It makes use of IE's ADODB problem to download and execute a trojan called "Trojan.Win32.StartPage.kf". Detection added last Saturday. The funny thing is that NAI's virus research lab (APAC) decided to call the "StartPage trojan" (only) a "potentially unwanted application" named "FindFast" ... Detection via "extra.dat" at the moment, probably later today in their DailyDAT files. BTW, is the patch for MS04-013 installed on the workstations you mentioned? Regards, Axel Pettinger
Current thread:
- Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Humes, David G. (Jul 09)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Paul Schmehl (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Andy (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Paul Schmehl (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Ronaldo C Vasconcellos (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Thor Larholm (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Axel Pettinger (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Matthew Jonkman (Jul 12)