[805] in resnet
Possible new worm -- anyone see this?
daemon@ATHENA.MIT.EDU (Mike LaMonaca)
Mon Feb 11 15:23:14 2002
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_001D_01C1B30E.DDA3D420"
Message-ID: <NEBBIABOPAKEHPGONKAAAEGGDIAA.mhl@pobox.upenn.edu>
Date: Mon, 11 Feb 2002 15:14:57 -0500
Reply-To: mhl@pobox.upenn.edu
From: Mike LaMonaca <mhl@pobox.upenn.edu>
To: RESNET-L@listserv.nd.edu
This is a multi-part message in MIME format.
------=_NextPart_000_001D_01C1B30E.DDA3D420
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Dear fellow ResNetters:
Hi! Some of our student computers may have been infected by a new worm.
Has anyone else been seeing this on their campuses? What's happening:
One of our student managers noticed some strange behavior on a few Windows
2000 machines in his dorm. Among the behavior (as he reported it):
a.. Control Panel only displays the icons in the first quarter (the left
side) of the window.
b.. When the computer boots up, there is an error that says "NAV Alert:
Error starting RPC server." The system then takes a long time to load
Windows.
c.. Some of the computers had multiple instances of ping.exe active.
(This likely was the worm trying to propagate itself.)
d.. Word, Outlook, and Excel give a few random errors when they start up.
e.. Pop-up windows won't load. While they may be a good thing to some
degree, no pop-up windows display at all, including properties dialog boxes.
f.. The Add/Remove Programs window doesn't load correctly. There's just
some jumbled text, so I can't uninstall anything.
g.. The printer is no longer recognized.
h.. Cut, Copy, and Paste don't work.
i.. Floppies can't be saved to.
He did some investigation on these computers, and was able to isolate what
he thinks is a new, undocumented worm. An almost 2 MB .rar file
(svchost.rar) is decompressed into c:\winnt\system32\svchost\ -- the
individual files are made up of .bat, .exe, .dll files and registry edits --
also, a program called "eggdropp".
Our Information Security department has been analyzing the files, and have
also sent it off to Symantec (we have a license for Norton AV). What
Information Security hasn't figured out yet is how this worm propagates.
The infected users haven't opened any attachments, nor had IIS running.
There's also some concern about a report from last week that a security flaw
was discovered in Morpheus (which the Morpheus makers denied) -- I don't
know if all of the infected machines were running Morpheus, but most student
computers here are.
Networking has also detected what appears to be a DDoS attack -- I'm not
sure what was being hit, though (our network, or someone elses). But they
have determined that the worm tries to access two IP addresses:
64.49.222.242 port 2100, and 128.119.118.123 port 2100.
Looking at two netstats that were sent to me, both showed an open TCP port
at 6899 -- could be another clue...
When searching the Win2000 newsgroups on Google, a few people have reported
the same symptoms, but there wasn't any helpful info. (But this indicates
that the problem is not local to Penn.)
Some of the filenames within that .rar file:
254.com
254.dll
fire.bat
good_client.exe
(If anyone would like to have the .rar file to examine it, let me know -- we
have it on a server, and I can give you the URL.)
Thanks!
- Mike :-)
--
Mike LaMonaca / mhl@pobox.upenn.edu | University of Pennsylvania
Database/Web Applications Developer | Office of College Houses and
Harnwell College House, Suite 212 | Academic Services
Phone: 215-573-4055 | www.mikelamonaca.com
"What fools these portals be -- and I, their investor!"
- Topfive.com's #1 least-quoted line from Shakespeare
------=_NextPart_000_001D_01C1B30E.DDA3D420
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2>Dear fellow ResNetters:</FONT></DIV>
<DIV><BR><FONT face=3DArial size=3D2>Hi! Some of our student =
computers may=20
have been infected by a new worm. Has anyone else been seeing this =
on=20
their campuses? What's happening:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>One of our student managers noticed =
some strange=20
behavior on a few Windows 2000 machines in his dorm. Among the =
behavior=20
(as he reported it):</FONT></DIV>
<UL>
<LI><FONT face=3DArial size=3D2>Control Panel only displays the icons =
in the first=20
quarter (the left side) of the window.</FONT></LI>
<LI><FONT face=3DArial size=3D2>When the computer boots up, there is =
an error that=20
says "NAV Alert: Error starting RPC server." The system then takes a =
long time=20
to load Windows.</FONT></LI>
<LI><FONT face=3DArial size=3D2>Some of the computers had multiple =
instances of=20
ping.exe active. (This likely was the worm trying to propagate=20
itself.)</FONT></LI>
<LI><FONT face=3DArial size=3D2>Word, Outlook, and Excel give a few =
random errors=20
when they start up.</FONT></LI>
<LI><FONT face=3DArial size=3D2>Pop-up windows won't load. While they =
may be a=20
good thing to some degree, no pop-up windows display at all, including =
properties dialog boxes.</FONT></LI>
<LI><FONT face=3DArial size=3D2>The Add/Remove Programs window doesn't =
load=20
correctly. There's just some jumbled text, so I can't uninstall=20
anything.</FONT></LI>
<LI><FONT face=3DArial size=3D2>The printer is no longer =
recognized.</FONT></LI>
<LI><FONT face=3DArial size=3D2>Cut, Copy, and Paste don't =
work.</FONT></LI>
<LI><FONT face=3DArial size=3D2>Floppies can't be saved =
to.</FONT></LI></UL>
<DIV><FONT face=3DArial size=3D2>He did some investigation on these =
computers, and=20
was able to isolate what he thinks is a new, undocumented worm. An =
almost=20
2 MB .rar file (svchost.rar) is decompressed into =
c:\winnt\system32\svchost\ --=20
the individual files are made up of .bat, .exe, .dll files and registry =
edits --=20
also, a program called "eggdropp".</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Our Information Security department has =
been=20
analyzing the files, and have also sent it off to Symantec (we have a =
license=20
for Norton AV). What Information Security hasn't figured out yet =
is how=20
this worm propagates. The infected users haven't opened any =
attachments,=20
nor had IIS running. There's also some concern about a report from =
last=20
week that a security flaw was discovered in Morpheus (which the Morpheus =
makers=20
denied) -- I don't know if all of the infected machines were running =
Morpheus,=20
but most student computers here are.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Networking has also detected what =
appears to be a=20
DDoS attack -- I'm not sure what was being hit, though (our network, or =
someone=20
elses). But they have determined that the worm tries to access two =
IP=20
addresses: 64.49.222.242 port 2100, and 128.119.118.123 port =
2100.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2>Looking at two netstats that were sent =
to me, both=20
showed an open TCP port at 6899 -- could be another clue...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>When searching the =
Win2000=20
newsgroups on Google, a few people have reported the same symptoms, but =
there=20
wasn't any helpful info. (But this indicates that the problem is =
not local=20
to Penn.)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Some of the filenames within that .rar=20
file:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>254.com</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>254.dll</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>fire.bat</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>good_client.exe</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>(If anyone would like to have the .rar =
file to=20
examine it, let me know -- we have it on a server, and I can give you =
the=20
URL.)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks!</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV> <FONT face=3DArial size=3D2>- Mike =20
:-)</FONT><BR><BR><FONT face=3D"Courier New" size=3D1>--<BR>Mike =
LaMonaca /=20
mhl@pobox.upenn.edu | University of Pennsylvania<BR>Database/Web =
Applications=20
Developer | Office of College Houses and<BR>Harnwell College House, =
Suite=20
212 | Academic Services<BR>Phone:=20
215-573-4055 &=
nbsp; =20
| <A =
href=3D"http://www.mikelamonaca.com">www.mikelamonaca.com</A><BR><BR>"Wha=
t=20
fools these portals be -- and I, their investor!"<BR> - =
Topfive.com's #1=20
least-quoted line from Shakespeare </FONT></DIV></BODY></HTML>
------=_NextPart_000_001D_01C1B30E.DDA3D420--
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________