Passwords brute forced and sent over IRC

[Krizi Trivisani <krizi () GWU EDU>]

Hello,

We have had the login creditials of a number of systems enumerated and sent over IRC to an IRC server in Korea with the 
IP address of 218.55.182.49 (now blocked at our router).

Based on examination so far, this is what we have found:
1.  One system was compromised and started scanning the network for open shares and weak passwords on other systems
2.  Once a system was found with a weak password, the creditials were sent over IRC
3.  Files found on compromised/infected systems (in c:\%systemroot%\system32) include regedlt.exe and moo.dat
4.  Domain controllers to which the compormised systems were connected were at 100% utilization
5.  In some cases we are seeing a telnet backdoor being opened on 5542

Might be a worm, possibly a W32.Randex.gen variant, but we are not sure at this point.

We are hearing other Universities may be having this same problem.  Anyone else experiencing this?

Krizi

**********************************
Krizi Trivisani, CISSP
Director of Systems Security Operations
Chief Security Officer
The George Washington University
202/994-7803
krizi () gwu edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.