Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Tue May 07 2002 - 18:19:27 PDT

  • Next message: Hugo van der Kooij: "Re: Publishing Nimda Logs"

    "Edwards, David  (JTS)" <Edwards.Daveat_private> wrote:
    
    > We've just found some instances of "netbuie.exe" running in some terminal
    > server sessions here.  The file was written to the Winnt\system32 directory
    > about 6:00pm on Sunday and registry entries made in:
    > 
    > HKLM/Software\Microsoft\windows\current version\run
    > HKLM/Software\Microsoft\windows\run
    
    First, why do non-admin users even have write access to these keys?
    
    If they don't, you clearly need to revise your site's judgments about 
    who is worthy of having admin (equivalent) passwords.
    
    > It seems to be a Vb 5 PE that hits on two web sites, scorpionsearch.com and
    > fastcounter.bcentral.com when run.  Possibly just generating revenue for
    > some bod somewhere.
    
    It wouldn't be the first...
    
    > Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server
    > patches missing and 2 IE6.
    > 
    > This sounded familiar (when I first saw it) but I haven't been able to find
    > any other references so I thought I'd make one :-)   The worry is (of
    > course) that the server is further compromised.  Anyone seen this before?
    
    Can't help you on the likely entry point, but given that non-admin 
    users can change crucial registry key contents or that some of your 
    admins are incompetent, I'm not sure that compromise via open 
    security vulnerabilities is the most obvious path of entry...
    
    Anyway, aside from resolving how it got on your machines, please send 
    samples to your preferred antivirus developers.  If this thing is 
    being actively spread (regardless of how) getting detection of it 
    into virus scanners is the best technique to reduce its continued 
    spread.  To save you digging them out, here are the sample submission 
    addresses of the better-known AV developers:
    
       Command Software             <virusat_private>
       Computer Associates (US)     <virusat_private>
       Computer Associates (Vet/EZ) <ipevirusat_private>
       DialogueScience (Dr. Web)    <Antivirat_private>
       Eset (NOD32)                 <trnkaat_private>
       F-Secure Corp.               <samples@f-secure.com>
       Frisk Software (F-PROT)      <viruslab@f-prot.com>
       Grisoft (AVG)                <virusat_private>
       Kaspersky Labs               <newvirusat_private>
       Network Associates (McAfee)  <virus_researchat_private>
       Norman (NVC)                 <analysisat_private>
       Sophos Plc.                  <supportat_private>
       Symantec (Norton)            <avsubmitat_private>
       Trend Micro (PC-cillin)      <virus_doctorat_private>
         (Trend may only accept files from registered users of its
         products)
    
    
    
    -- 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue May 07 2002 - 21:30:31 PDT