'FW: New virus outbreak.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-virus
Subject:    FW: New virus outbreak.
From:       "Brad" <gryphonn () austarnet ! com ! au>
Date:       2003-03-10 9:13:17
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I figured this would be a more appropriate list for this query. Hopefully
our moderator will see fit to push this through.
Cheers,
Gryph

> -----Original Message-----
> From: Danny [mailto:Danny@drexel.edu] 
> Sent: Saturday, 8 March 2003 8:42 AM
> To: 'intrusions@incidents.org'
> Cc: 'incidents@securityfocus.com'
> Subject: New virus outbreak.
> 
> 
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hey Guys,
> 	   We have been alerted to a virus outbreak by one of 
> our sister networks that appears to be new and undetected by 
> Norton AV and is mis-detected by McAfee. McAfee detects this 
> virus as backdoor-jz but is unable to clean the virus. Sorry 
> I don't have a whole lot of details on this yet but here is a 
> list of the files running on infected systems. 
> 
> > 
> > These are the virus processes that we've seen running:
> > 
> > cbnegs.exe
> > Winlogon .exe
> > sjhdyl.exe
> > kbld.exe
> > duckduck.exe
> > explorer .exe
> > ~xxxxx
> > oocfwm.exe
> > gwigsb.exe
> > jkexnj.exe
> > lknq.exe
> > kjnj.exe
> 
> The virus appears to infect Windows hosts regardless of the 
> OS version. It appears to alter the start menu items of 
> infected hosts and makes them look garbled. At this time I 
> don't know how this virus is spreading but I will let you 
> know if I find out, none of the hosts I have access to are 
> currently infected but it appears to be spreading through our 
> sister network pretty quickly.
> 
> Has anyone seen anything like this? Or recognize the signature maybe? 
> 
> Any info would be greatly appreciated.
> 
> Cheers
> Danny
> Network Security Engineer
> Drexel University
> PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0 
> PGP Key: http://akasha.irt.drexel.edu/danny.asc
>  
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
> 
> iQA/AwUBPmkhA2b1zPz07fHgEQItBwCbBxNG2j/HPrqgwAfoyZhMy4CXvp0AoMqM
> fACTSk3u63sEDW+okA5XssUL
> =D2mI
> -----END PGP SIGNATURE-----
> 
> --------------------------------------------------------------
> --------------
> 
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure"> 
> http://www.securityfocus.com/stillsecure </A>
> 
> 
> __________ 
> NOD32 1.371 (20030307) Information __________
> 
> This message was checked by NOD32 Antivirus system. 
http://www.nod32.com


-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/

iQA/AwUBPmvKjaXCdiiQggjQEQK2gQCg7v+UJFUpugFj6Mjni6wRUVrcz+kAoPO/
6QaRDepnJy/6tHChlSCy2/Bf
=vxro
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic