"Edwards, David (JTS)" <Edwards.Daveat_private> wrote: > We've just found some instances of "netbuie.exe" running in some terminal > server sessions here. The file was written to the Winnt\system32 directory > about 6:00pm on Sunday and registry entries made in: > > HKLM/Software\Microsoft\windows\current version\run > HKLM/Software\Microsoft\windows\run First, why do non-admin users even have write access to these keys? If they don't, you clearly need to revise your site's judgments about who is worthy of having admin (equivalent) passwords. > It seems to be a Vb 5 PE that hits on two web sites, scorpionsearch.com and > fastcounter.bcentral.com when run. Possibly just generating revenue for > some bod somewhere. It wouldn't be the first... > Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server > patches missing and 2 IE6. > > This sounded familiar (when I first saw it) but I haven't been able to find > any other references so I thought I'd make one :-) The worry is (of > course) that the server is further compromised. Anyone seen this before? Can't help you on the likely entry point, but given that non-admin users can change crucial registry key contents or that some of your admins are incompetent, I'm not sure that compromise via open security vulnerabilities is the most obvious path of entry... Anyway, aside from resolving how it got on your machines, please send samples to your preferred antivirus developers. If this thing is being actively spread (regardless of how) getting detection of it into virus scanners is the best technique to reduce its continued spread. To save you digging them out, here are the sample submission addresses of the better-known AV developers: Command Software <virusat_private> Computer Associates (US) <virusat_private> Computer Associates (Vet/EZ) <ipevirusat_private> DialogueScience (Dr. Web) <Antivirat_private> Eset (NOD32) <trnkaat_private> F-Secure Corp. <samples@f-secure.com> Frisk Software (F-PROT) <viruslab@f-prot.com> Grisoft (AVG) <virusat_private> Kaspersky Labs <newvirusat_private> Network Associates (McAfee) <virus_researchat_private> Norman (NVC) <analysisat_private> Sophos Plc. <supportat_private> Symantec (Norton) <avsubmitat_private> Trend Micro (PC-cillin) <virus_doctorat_private> (Trend may only accept files from registered users of its products) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 21:30:31 PDT