Educause Security Discussion mailing list archives

Re: New Virus/Trojan/...?

From: "Wayne J. Hauber" <wjhauber () IASTATE EDU>
Date: Wed, 6 Oct 2004 10:49:34 -0500

At 09:13 AM 10/6/2004, Jason Brooks wrote:

We submitted the executable Quicktimee.exe that was doing the port 445 scans
to McAfee yesterday morning.  They responded yesterday afternoon classifying
it as W32/SDBot.worm.  They also issued us an EXTRA.DAT which will be cycled
into production DATs soon.

Thanks for the suggestions,
Jason Brooks


I submitted a copy as well. The system I examined also had an ftp server on
port 31907 "220 StnyFtpd 0wns j0", running tfpd

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Scott Weeks
Sent: Monday, October 04, 2004 5:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] New Virus/Trojan/...?

On Mon, 4 Oct 2004, Jason Brooks wrote:

:  Beginning about 16:45 EDT on Sunday 3 Oct 2004, we began seeing high
levels
:  of port scanning for port 445 from our students.  We have obtained one
:  laptop for analysis.  Here are our findings:
:
:          Process Quicktimee.exe is opening numerous outbound connections
to

<snip>

:  So, with that, does it look familiar to anyone?  McAfee doesn't know it,
and
:  can't turn up anything seemingly related in Google, etc.
:
:  Suggestions/Help?

You might try the Incidents mailinglist at SecurityFocus:

     http://www.securityfocus.com/incidents

scott

x=x=x=x=x=x=x=x=x=x=x=x

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.



Wayne Hauber (515) 294-9890
Network Information & Microcomputer Network Services
Office of Academic Information Technologies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

New Virus/Trojan/...? Jason Brooks (Oct 04)
- <Possible follow-ups>
- Re: New Virus/Trojan/...? James Riden (Oct 04)
- Re: New Virus/Trojan/...? Scott Weeks (Oct 04)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 06)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 06)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 07)
- Re: New Virus/Trojan/...? Justin Azoff (Oct 07)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 07)