**update** (was: Rash of seemingly "old" virii)

[Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>]

Just to update all of you.  I worked with our Lab Manager (who is also
our Sophos AV P.O.C.) to try to determine just what was going on with
the machines in question.  Below is the write-up that he sent Sophos; I
have NOT included the the DLL (don't want to infect anybody AND it
might not get thru the list) or ".REG" file because the DLL filename
may not be the same in all instances. This one was a "toughie".

If you would like the .DLL and/or .REG file(s) - PLEASE contact me
off-list.  I am not sure how valuable it/they will be, because I don't
know what the vector was to "install" that DLL and hook it to Explorer.

I would like to thank ALL of you, who responded, for your input - it
was invaluable.

I hope this saves SOMEONE some time and frustration.

Begin forwarded message:

> From: Paul J Smernoff <Paul.J.Smernoff () williams edu>
> Date: March 9, 2005 7:02:06 PM EST
> To: support () sophos com
> Subject: Possible virus attached
>
> We have recently quarantined a few of our student's Windows XP
> workstations as they were making massive requests of one of our web
> servers.
>
> We are not certain how these PCs were infected.
>
> One of our Admins believes the PCs in question may have been trying to
> exploit IIS server as they were looking for the file fp30reg.dll.
>
> We have scanned one of these systems with an already installed
> up-to-date
> Sophos Anti-Virus and found that the PC still exhibited the adverse
> behavior.
>
> Our use of Sysinternals TCPView demonstrated frequent scans of our
> network
> and the continued assault our DHCP server.
>
> I noticed the behavior would only stop when killing the windows shell
> explorer.exe.
>
> I ran tasklist /m against explorer.exe to see which dlls were
> associated
> with this process.  I then compared the list of dlls with one from a
> clean
> PC.  The attached DLL is the only one that was highly suspect as I
> could
> not find any reference to it on the Internet.
>
> In addition, this file was not found on the system initially even when
> searching the entire disk for hidden and system files.
>
> The attached .reg file contains the registry reference to the file.
> Once
> removed, I rebooted and found the file in c:\windows\system32.  The
> attacks against our web server ceased.
>
> I have since scanned the file with Panda ActiveScan and it is reported
> as
> a virus - Poxdar.B.
>
> I hope an IDE can be had soon.  Please reply with any updates.
>
> Thanks,
> Paul
>
> --
> Paul Smernoff
> Networks & Systems
> Office for Information Technology
> Williams College


PeteC

Peter Charbonneau
Sr. Network and Systems Administrator
Williams College
(413) 597-3408 (desk)
(413) 822-2922 (cell)

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.