Educause Security Discussion mailing list archives

Re: New Virus/Trojan/...?

From: Jason Brooks <brooksje () LONGWOOD EDU>
Date: Thu, 7 Oct 2004 09:05:40 -0400

Wayne,
        Was the tftp server running from the Quicktimee.exe process or
another one?

Thanks,
Jason

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne J. Hauber
Sent: Wednesday, October 06, 2004 11:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] New Virus/Trojan/...?

At 09:13 AM 10/6/2004, Jason Brooks wrote:

We submitted the executable Quicktimee.exe that was doing the port 445

scans

to McAfee yesterday morning.  They responded yesterday afternoon

classifying

it as W32/SDBot.worm.  They also issued us an EXTRA.DAT which will be

cycled

into production DATs soon.

Thanks for the suggestions,
Jason Brooks


I submitted a copy as well. The system I examined also had an ftp server on
port 31907 "220 StnyFtpd 0wns j0", running tfpd

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Scott Weeks
Sent: Monday, October 04, 2004 5:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] New Virus/Trojan/...?

On Mon, 4 Oct 2004, Jason Brooks wrote:

:  Beginning about 16:45 EDT on Sunday 3 Oct 2004, we began seeing high
levels
:  of port scanning for port 445 from our students.  We have obtained one
:  laptop for analysis.  Here are our findings:
:
:          Process Quicktimee.exe is opening numerous outbound connections
to

<snip>

:  So, with that, does it look familiar to anyone?  McAfee doesn't know it,
and
:  can't turn up anything seemingly related in Google, etc.
:
:  Suggestions/Help?

You might try the Incidents mailinglist at SecurityFocus:

     http://www.securityfocus.com/incidents

scott

x=x=x=x=x=x=x=x=x=x=x=x

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.



Wayne Hauber (515) 294-9890
Network Information & Microcomputer Network Services
Office of Academic Information Technologies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

New Virus/Trojan/...? Jason Brooks (Oct 04)
- <Possible follow-ups>
- Re: New Virus/Trojan/...? James Riden (Oct 04)
- Re: New Virus/Trojan/...? Scott Weeks (Oct 04)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 06)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 06)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 07)
- Re: New Virus/Trojan/...? Justin Azoff (Oct 07)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 07)