Educause Security Discussion mailing list archives

Re: Rash of seemingly "old" virii

From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Tue, 8 Mar 2005 08:20:15 -0600

I have discovered this type malware often puts a startup .pf file in the
windows\prefetch directory.  May want to check there...

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

flynngn () JMU EDU wrote on 3/7/2005 3:06:05 PM:

Peter Charbonneau wrote:

I am seeing some of our student computers (to the tune of 10-12
machines) hitting various web servers, both inside and outside our
campus, requesting:

137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "POST
/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 - "-" "-"
137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "POST
/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 - "-" "-"
137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "SEARCH
/

\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0

4H\x04H\x04H\x04H\x04H\x04H\x04H\x04H .... [thousands of characters
removed for sanity sake]

In searching the web, I find that this SEEMS to be the FrontPage
extension attack from 2-3 years ago.  I "got a hold" of a couple of
student machines that were the xxx.yyy addresses.  So far, BOTH of
these machines have AV protection running AND have updated def

files.

I have run various Spyware scans using all 17,000 of our favorite
Spyware tools - nothing has come up (well, gator, but that is kinda
expected) that clues me into what is going on.

I am wondering whether any of you have seen anything like this, or
potentially have an explanation.  I am just about at my wits end

trying

to counter/explain it.



Get a list of running processes and see if you can identify
a common one or stop the traffic by disabling suspect
processes.

If you get a suspect, submit it to virustotal:
http://www.virustotal.com/xhtml/index_en.html

and your friendly neighborhood AV vendor of choice.

My guess is that you've got yet another new
ago/sd/gao/whachamacallit BOT. I've run into two
in the past couple weeks alone.

--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE

Discussion

Group discussion list can be found at

http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Attachment: Mark Wilson.vcf
Description:

Current thread:

Rash of seemingly "old" virii Peter Charbonneau (Mar 07)
- <Possible follow-ups>
- Re: Rash of seemingly "old" virii Gary Flynn (Mar 07)
- Re: Rash of seemingly "old" virii Mark Wilson (Mar 08)