Security Incidents mailing list archives
Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3
From: Ronaldo C Vasconcellos <ronaldo () cais rnp br>
Date: Sun, 11 Jul 2004 10:37:30 -0300 (BRST)
On Fri, 9 Jul 2004, Humes, David G. wrote:
Starting around July 8th we noticed workstations trying to access 67.109.249.3 on port 80 and do a GET /download/IEService215.chm HTTP/1.1 Analysis of the users' browsing activity did not reveal any pattern that would suggest that the activity was user-initiated. We suspect that this is something trying to "phone home", but not sure quite what. A reverse lookup of the IP just returns 67.109.249.3.ptr.us.xo.net, and whois just tells me that it belongs to XO. Has anyone else seen this and know what it is?
A few more info about this file: . File type: MS Windows HtmlHelp Data (according to the latest version of file[1]) . MD5 checksum is e47db712c8684bd5be91de20e6650993 . Identified as TrojanDownloader.VBS.Psyme.ak by Kaspersky 3.0 and Sybari 7.5.1314 (thanks to virustotal.com). PestPatrol - TrojanDownloader.VBS.Psyme http://www.pestpatrol.com/pestinfo/t/trojandownloader_vbs_psyme.asp Symantec Security Response - Downloader.Psyme http://securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html Ronaldo [1] file - determine file type ftp://ftp.astron.com/pub/file/
Current thread:
- Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Humes, David G. (Jul 09)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Paul Schmehl (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Andy (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Paul Schmehl (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Ronaldo C Vasconcellos (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Thor Larholm (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Axel Pettinger (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Matthew Jonkman (Jul 12)