Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3

From: Ronaldo C Vasconcellos <ronaldo () cais rnp br>
Date: Sun, 11 Jul 2004 10:37:30 -0300 (BRST)
On Fri, 9 Jul 2004, Humes, David  G. wrote:


Starting around July 8th we noticed workstations trying to access
67.109.249.3 on port 80 and do a

GET /download/IEService215.chm HTTP/1.1

Analysis of the users' browsing activity did not reveal any pattern that
would suggest that the activity was user-initiated.  We suspect that this is
something trying to "phone home", but not sure quite what.  A reverse lookup
of the IP just returns 67.109.249.3.ptr.us.xo.net, and whois just tells me
that it belongs to XO.  Has anyone else seen this and know what it is?


A few more info about this file:

. File type: MS Windows HtmlHelp Data (according to the latest version of
  file[1])
. MD5 checksum is e47db712c8684bd5be91de20e6650993
. Identified as TrojanDownloader.VBS.Psyme.ak by Kaspersky 3.0 and Sybari
  7.5.1314 (thanks to virustotal.com).


PestPatrol - TrojanDownloader.VBS.Psyme
http://www.pestpatrol.com/pestinfo/t/trojandownloader_vbs_psyme.asp

Symantec Security Response - Downloader.Psyme
http://securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html

Ronaldo

[1] file - determine file type
ftp://ftp.astron.com/pub/file/
Previous By Date Next
Previous By Thread Next

Current thread: