[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1
From: Matthew Jonkman <matt () infotex ! com>
Date: 2004-07-12 15:47:07
Message-ID: 40F2B27B.9010009 () infotex ! com
[Download RAW message or body]
Crude snort rule to catch it:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (
msg:"BLEEDING-EDGE VIRUS Psyme Trojan Download";
uricontent:"/download/IEService215.chm"; nocase; sid:2000365; rev:1; )
Updates to it will be at www.bleedingsnort.com
Matt
Axel Pettinger wrote:
> "Humes, David G." wrote:
>
>>Starting around July 8th we noticed workstations trying to access
>>67.109.249.3 on port 80 and do a
>>
>>GET /download/IEService215.chm HTTP/1.1
>>
>>Analysis of the users' browsing activity did not reveal any pattern
>>that would suggest that the activity was user-initiated. We suspect
>>that this is something trying to "phone home", but not sure quite
>>what. A reverse lookup of the IP just returns
>>67.109.249.3.ptr.us.xo.net, and whois just tells me that it belongs to
>>XO. Has anyone else seen this and know what it is?
>
>
> The CHM file is according to Kaspersky a trojan downloader called
> "TrojanDownloader.VBS.Psyme.ak". It makes use of IE's ADODB problem to
> download and execute a trojan called "Trojan.Win32.StartPage.kf".
> Detection added last Saturday.
>
> The funny thing is that NAI's virus research lab (APAC) decided to call
> the "StartPage trojan" (only) a "potentially unwanted application" named
> "FindFast" ... Detection via "extra.dat" at the moment, probably later
> today in their DailyDAT files.
>
> BTW, is the patch for MS04-013 installed on the workstations you
> mentioned?
>
> Regards,
> Axel Pettinger
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic