Educause Security Discussion mailing list archives
Re: "Yay" Malware
From: "Flagg, Martin D." <FlaggMD () HIRAM EDU>
Date: Fri, 12 Jan 2007 09:53:12 -0500
Any suggestions for IDS and/or Layer 7 firewall detection? Does usb.exe get downloaded? Marty Hiram College -----Original Message----- From: Parker, Ron [mailto:Ron.Parker () BRAZOSPORT EDU] Sent: Friday, January 12, 2007 9:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] "Yay" Malware In cases where we've tried to repair the damage, without having a removal tool available, I've seen some of my staff spend multiple days trying to clean things up. As you know, then you never know for sure that you've gotten it. I would guestimate that it has cost us several hundred dollars in staff time per computer to try to clean up something. We would only do that in very rare cases any more. These days, we re-image with gusto. -- Ron Parker, Director of Information Technology, Brazosport College
-----Original Message----- From: RL Vaughn [mailto:Randy_Vaughn () BAYLOR EDU] Sent: Friday, January 12, 2007 7:49 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] "Yay" Malware Indeed the file, C:\WINDOWS\SYSTEM32\usb.exe, has been pinned as the culprit. Reports are it overwrites binaries critical to IM, tray applications, and, apparently, the binaries of processes active at the time of infection including some AV. The binary is UPX packed. The infection
vector has not yet been determined to my knowledge. Scott's reinstall or reimage option suggestion seems realistic rather than paranoid. On that point, and other previous postings, does anyone have a ballpark guesstimate of how much it costs to repair a single machine after such an infection? Scott Fendley wrote:Heya Tim et al, Thankfully we have not seen it on our campus as of yet.However, I doknow from communication with the Internet Storm Center thata samplehas been sent to all of the major antivirus venders earlier in the day. I would expect that definitions will be out for the initial variation of this malware soon. After determining the attack vector/infection technique, I would typically reinstall or reimage the computer. I may be a little paranoid, but I really don't like not knowing positively what the state of security really is after a compromise of this nature. It would be great if any determination could be made as to what the infection vector might have been. Email, IM, websitedownload? Fromthe reports I have seen it seems the file that appears tobe part ofthe 1st stage infection is C:\WINDOWS\SYSTEM32\usb.exe. Hopefully I will have more details in the morning that I can share. Scott At 07:25 PM 1/11/2007, Tim Lane wrote:Hi All, has anyone seen (for want of a better term) the YayMalware. We areseeing a small window with the word "yay" in it appear on the desktop with a lot of outgoing traffic. A search on Google cites quite a few people seeing this in the last 24 hours butno resolution.We have tried to remove it with: Symantec AV Adaware Spybot S&D Defender XoftSpySE MSRT Seems like it may be very new and the AV vendors have notcaught onyet.... If anyone has seen it and mitigated it I would beinterested to hear.Thanks, TimTim Lane Information Security Program Manager Information Technology and Telecommunication ServicesSouthern CrossUniversity PO Box 157 Lismore NSW 2480 (02 6620 3290 7 02 6620 3033 - tlane () scu edu au 8 <http://www.scu.edu.au>http://www.scu.edu.au
Current thread:
- "Yay" Malware Tim Lane (Jan 11)
- <Possible follow-ups>
- Re: "Yay" Malware RL Vaughn (Jan 11)
- Re: "Yay" Malware Scott Fendley (Jan 11)
- Re: "Yay" Malware RL Vaughn (Jan 12)
- Re: "Yay" Malware Parker, Ron (Jan 12)
- Re: "Yay" Malware Flagg, Martin D. (Jan 12)
- Re: "Yay" Malware David Taylor (Jan 12)
- Re: "Yay" Malware David Gillett (Jan 12)
- Re: "Yay" Malware RL Vaughn (Jan 12)