[60194] in North American Network Operators' Group
RE: New or existing virus/vulnerability in Windows software?
daemon@ATHENA.MIT.EDU (Dan Lockwood)
Sat Aug 2 17:16:59 2003
Date: Sat, 2 Aug 2003 14:13:55 -0700
From: "Dan Lockwood" <dlockwood@shastalink.k12.ca.us>
To: "NANOG" <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C3593A.FB87BF27
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Rob was kind enough to look into my problem and found it to be a bot
which is spread via TCP 139. No big alarm. Thanks to all!
=20
Dan
-----Original Message-----
From: Dan Lockwood=20
Sent: Saturday, August 02, 2003 12:59
To: NANOG
Subject: New or existing virus/vulnerability in Windows
software?
=09
=09
Everyone,
=20
We are having fits with a new? virus or vulnerability. The
simptoms are as follows: an executable saatg.exe "appears" in the
startup folder of the All Users group and after a reboot launches
itself. It adds a registry entry under
HKEY_LOCAL_MACHINE/Software/Microsoft/CurrentVersion/Run. The
executable shows under processes and seems to also launch additional
processes, e.g. ~1.exe, ~2.exe, ~3.exe, etc. I can not link any
malicious activity to this behavior, but it seems to be spreading like
wildfire on our network, apparantely with absolutely no user activity.
In testing I have do thus far it finds its was on to a _virgin_ system
that has been installed disconnected from the network with CD media
including all relevent security patches. Panda anti-virus does not seem
to detect it either. It shows up on systems where there is no
interactive login, e.g. servers, regular users, and users with elevated
privelages. Additionally once the executable is active is
systematically searches for other systems to share the good news with on
port TCP 135. I am aware of the recent vulnerabilities from Microsoft
regarding RPC and netbios, but again, the recommended security fixes do
not seem to provide any relief. Does anyone have any insight into what
this thing is? TIA
=20
Dan Lockwood
------_=_NextPart_001_01C3593A.FB87BF27
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1170" name=3DGENERATOR></HEAD>
<BODY>
<DIV>
<DIV><SPAN class=3D091241221-02082003><FONT face=3DVerdana =
color=3D#0000ff size=3D2>Rob=20
was kind enough to look into my problem and found it to be a bot which =
is spread=20
via TCP 139. No big alarm. Thanks to =
all!</FONT></SPAN></DIV>
<DIV><SPAN class=3D091241221-02082003><FONT face=3DVerdana =
color=3D#0000ff=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D091241221-02082003><FONT face=3DVerdana =
color=3D#0000ff=20
size=3D2>Dan</FONT></SPAN></DIV></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message-----<BR><B>From:</B> Dan =
Lockwood=20
<BR><B>Sent:</B> Saturday, August 02, 2003 12:59<BR><B>To:</B>=20
NANOG<BR><B>Subject:</B> New or existing virus/vulnerability in =
Windows=20
software?<BR><BR></FONT></DIV>
<DIV><SPAN class=3D863504919-02082003><FONT face=3DVerdana=20
size=3D2>Everyone,</FONT></SPAN></DIV>
<DIV><SPAN class=3D863504919-02082003><FONT face=3DVerdana=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D863504919-02082003><FONT face=3DVerdana size=3D2>We =
are having=20
fits with a new? virus or vulnerability. The simptoms are as =
follows: an=20
executable saatg.exe "appears" in the startup folder of the All Users =
group=20
and after a reboot launches itself. It adds a registry entry =
under=20
HKEY_LOCAL_MACHINE/Software/Microsoft/CurrentVersion/Run. The =
executable=20
shows under processes and seems to also launch additional processes, =
e.g.=20
~1.exe, ~2.exe, ~3.exe, etc. I can not link any malicious =
activity to=20
this behavior, but it seems to be spreading like wildfire on our =
network,=20
apparantely with absolutely no user activity. In testing I have =
do thus=20
far it finds its was on to a _virgin_ system that has been installed=20
disconnected from the network with CD media including all relevent =
security=20
patches. Panda anti-virus does not seem to detect it =
either. It=20
shows up on systems where there is no interactive login, e.g. servers, =
regular=20
users, and users with elevated privelages. Additionally once the =
executable is active is systematically searches for other systems to =
share the=20
good news with on port TCP 135. I am aware of the recent =
vulnerabilities=20
from Microsoft regarding RPC and netbios, but again, the recommended =
security=20
fixes do not seem to provide any relief. Does anyone have any =
insight=20
into what this thing is? TIA</FONT></SPAN></DIV>
<DIV><FONT face=3DVerdana size=3D2></FONT> </DIV>
<DIV align=3Dleft><FONT face=3DVerdana size=3D2>Dan=20
Lockwood</FONT></DIV></BLOCKQUOTE></BODY></HTML>
=00
------_=_NextPart_001_01C3593A.FB87BF27--
