[76728] in North American Network Operators' Group
Israeli ISP's experience broadband dialer malware outbreak
daemon@ATHENA.MIT.EDU (Gadi Evron)
Wed Dec 22 11:31:14 2004
Date: Wed, 22 Dec 2004 18:36:57 +0200
From: Gadi Evron <ge@linuxbox.org>
To: nanog list <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
I received several notices today from fellow ISP's, originally from an
Israeli ISP's security information sharing mailing list, that several
large Israeli ISP's experience an outbreak that cause tech support lines
to overflow.
Basically, this malware appears to change dialer configuration for
broadband users. "Advanced" setting is turned back to "Basic", Local
Area Connection is being played with, the user name is changed to
<random number>username, etc.
The users get the following errors: 734 ,769, 789 or 800.
On the press, several rumors are circulating:
1. This thing is from Kazaa.
2. Process names are: chksp2.exe, sp2ctr.exe and glwgmgeb.exe.
3. Also, this link has been provided:
http://www.sophos.com/virusinfo/analyses/trojdlucam.html
We haven't yet got my hands on a sample, but I hope to have one soon.
I haven't seen any chatter about this in AV forums.. and for now it
seems to be limited to Israel unless someone can inform me differently?
Gadi.
