Educause Security Discussion mailing list archives

Re: "Yay" Malware

From: David Gillett <gillettdavid () FHDA EDU>
Date: Fri, 12 Jan 2007 09:16:29 -0800

  It would also be useful to have some characterization of the
"lot of outgoing traffic" associated with this, so that we know
what to look for.

David Gillett

-----Original Message-----
From: Scott Fendley [mailto:scottf () UARK EDU]
Sent: Thursday, January 11, 2007 8:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] "Yay" Malware

Heya Tim et al,

Thankfully we have not seen it on our campus as of yet.
However, I do know from communication with the Internet Storm
Center that a sample has been sent to all of the major
antivirus venders earlier in the day.  I would expect that
definitions will be out for the initial variation of this
malware soon.

After determining the attack vector/infection technique,  I
would typically reinstall or reimage the computer.  I may be
a little paranoid, but I really don't like not knowing
positively what the state of security really is after a
compromise of this nature.

It would be great if any determination could be made as to
what the infection vector might have been.  Email, IM, website
download?   From the reports I have seen it seems the file that
appears to be part of the 1st stage infection is
C:\WINDOWS\SYSTEM32\usb.exe.

Hopefully I will have more details in the morning that I can share.

Scott

At 07:25 PM 1/11/2007, Tim Lane wrote:

Hi All,

has anyone seen (for want of a better term) the Yay

Malware.  We are

seeing a small window with the word "yay" in it appear on

the desktop

with a lot of outgoing traffic.  A search on Google cites

quite a few

people seeing this in the last 24 hours but no resolution.

We have tried to remove it with:

Symantec AV
Adaware
Spybot S&D
Defender
XoftSpySE
MSRT

Seems like it may be very new and the AV vendors have not

caught on yet....


If anyone has seen it and mitigated it I would be

interested to hear.


Thanks,

Tim



Tim Lane
Information Security Program Manager

Information Technology and Telecommunication Services Southern Cross
University PO Box 157 Lismore NSW 2480

(02 6620 3290   7             02 6620 3033   - tlane () scu edu au
8 <http://www.scu.edu.au>http://www.scu.edu.au

Current thread:

"Yay" Malware Tim Lane (Jan 11)
- <Possible follow-ups>
- Re: "Yay" Malware RL Vaughn (Jan 11)
- Re: "Yay" Malware Scott Fendley (Jan 11)
- Re: "Yay" Malware RL Vaughn (Jan 12)
- Re: "Yay" Malware Parker, Ron (Jan 12)
- Re: "Yay" Malware Flagg, Martin D. (Jan 12)
- Re: "Yay" Malware David Taylor (Jan 12)
- Re: "Yay" Malware David Gillett (Jan 12)
- Re: "Yay" Malware RL Vaughn (Jan 12)