Security Incidents mailing list archives

Re: Backdoor-CGT

From: Mike Barushok <barushok () keycreations com>
Date: Thu, 15 Jul 2004 21:34:15 -0500 (CDT)


Here is what I came up with:

genmexe.biz.            NS      ns1.machinenamez.biz.
genmexe.biz.            NS      ns2.machinenamez.biz.
genmexe.biz.            A       219.129.216.227
*.genmexe.biz.          A       219.129.216.227
ns1.genmexe.biz.        A       219.129.216.227
ns2.genmexe.biz.        A       219.129.216.235
www.genmexe.biz.        A       219.129.216.227

-And-

inetnum:      219.128.0.0 - 219.137.255.255
netname:      CHINANET-GD
descr:        CHINANET Guangdong province network
descr:        Data Communication Division
descr:        China Telecom
country:      CN
admin-c:      CH93-AP
tech-c:       WM12-AP
mnt-by:       MAINT-CHINANET
mnt-lower:    MAINT-CHINANET-GD
changed:      hostmaster () ns chinanet cn net 20020424
status:       ALLOCATED PORTABLE
source:       APNIC

person:       Chinanet Hostmaster
address:      No.31 ,jingrong street,beijing
address:      100032
country:      CN
phone:        +86-10-66027112
fax-no:       +86-10-58501144
e-mail:       hostmaster () ns chinanet cn net
e-mail:       anti-spam () ns chinanet cn net
nic-hdl:      CH93-AP
mnt-by:       MAINT-CHINANET
changed:      hostmaster () ns chinanet cn net 20021016
remarks:      hostmaster is not for spam complaint,please send spam complaint to anti-spam () ns chinanet cn net
source:       APNIC

person:       WU MIAN
address:      NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
country:      CN
phone:        +086-20-83877223
fax-no:       +86-20-83877223
e-mail:       ipadm () gddc com cn
nic-hdl:      WM12-AP
mnt-by:       MAINT-CHINANET-GD
changed:      ipadm () gddc com cn 20010820
source:       APNIC

On 15 Jul 2004 securityguy () dslextreme com wrote:



McAfee, and several news outlets, are reporting the spread of this trojan horse.  Info at 
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=126681

One of the entries at McAfee is that blocking genmexe.biz prevents dowloading the trojan.  Has anyone seen an ip 
address for this url?

- SG


--

Mike Barushok
Senior Security Administrator
KeyCreations.com/KCISP.net/ispKansas.com

Current thread:

Backdoor-CGT securityguy (Jul 15)
- Re: Backdoor-CGT Nick FitzGerald (Jul 16)
  - RE: Backdoor-CGT Security Guy (Jul 16)
- Re: Backdoor-CGT Mike Barushok (Jul 16)
- <Possible follow-ups>
- RE: Backdoor-CGT Tim . Spakowski (Jul 16)
  - RE: Backdoor-CGT James C Slora Jr (Jul 16)