Educause Security Discussion mailing list archives
flurry of IM worms
From: Bob Bayn <Bob.Bayn () USU EDU>
Date: Tue, 29 Jan 2008 16:42:59 -0700
Last night and today we've been hit with a flurry of instant messages pointing to one of a variety of web links that end with /viewimage.php?=email () address edu It appears that the infected machine in turn forwards the message to its IM contact list. Everybody here is happy to click on a link recommended by a friend, in spite of my "be an internet skeptic" campaign. Is this happening to anyone else? Bob Bayn IT Security Team coordinator Utah State University here's a thread describing what we're finding about it: =================================================== On Tue, 2008-01-29 at 14:09 -0700, TJ Hilton wrote:
I'm working on one of the machines that clicked on the link. As of right now I've notices that the worm does the following things: 1 - Added a file called c:\windows\wkssvc.exe (this is a known root kit) 2 - Added a startup entry in the registry for wkssvc.exe (\software\microsoft\windows\CurrentVersionrun) 3 - Added file WKSSVC.exe-037d0802 to C:\Windows\Prefetch 4 - Attempted to change c:\windows\system32\drivers\etc\hosts but was thwarted by McAfee. (was detected as Qhosts.apd) 5 - Enabled all udp/tcp services on c:\windows\system32\tcpsvcs.exe and opened tcp & udp ports 7, 9, 13, 17, 19 6 - Enabled all services on c:\windows\system32\inetsrv\inetinfo.exe FTP, HTTP, smtp and opened ports 80, 443, and 21 ,25 7 - Adds file c:\windows\spooler.exe
Current thread:
- flurry of IM worms Bob Bayn (Jan 29)
- <Possible follow-ups>
- Re: flurry of IM worms Randy Marchany (Jan 29)