[77316] in North American Network Operators' Group
Re: New Virus in the wild
daemon@ATHENA.MIT.EDU (Nils Ketelsen)
Tue Jan 18 09:04:43 2005
Date: Tue, 18 Jan 2005 08:58:32 -0500
From: Nils Ketelsen <nils.ketelsen@kuehne-nagel.com>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <41ED05B7.8020508@tehila.gov.il>; from gadi@tehila.gov.il on Tue, Jan 18, 2005 at 02:48:55PM +0200
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Jan 18, 2005 at 02:48:55PM +0200, Gadi Evron wrote:
> Nils Ketelsen wrote:
>
> > I still have no clue what is causing this, but I am pretty clueless when
> > it comes to Windows PCs anyway, and as you might have guessed: The PCs
> > making these connections are windows machines.
>
> http://www.lurhq.com/baba.html
>
> Thanks go to Joe Stewart from lurhq.
No, not it. Close but not exactly. I seem to be encountering a different
mutation of this Virus. First, the ports it is trying to connect
to are 25000-26000, second the timestamp in the URL seems to be missing in
the above description.
True is, that the infected file seems to be C:\csrss.exe. According to
McAfee Virus Scan (with the newest pattern file) this file was infected
with buchon.c. But the description does not fully match either. Anyways:
Killing the process and removing c:\csrss.exe helped.
McAfee knows about this Virus since last week, but decided
it was not worth an update of their regular patterns. Thank you for this
policy of slow updates, I will see that I get a vendor that acts
in time, I guess.
Nils
