-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |->BackDoor-JZ is not a virus but a remote access Trojan (RAT). It does |->not replicate by itself (if it did, it would be called a virus, or by |->some, a worm, depending on the replication method). |-> |->But, BackDoor-JZ is a single file malware so it seems you have a |->little more than just BackDoor-JZ... |-> Your right, sorry about that and I see your point. BTW I did not mean to sound like an alarmist with the subject there was supposed to be a "?" on there. |->> > cbnegs.exe |->> > Winlogon .exe |->> > sjhdyl.exe |->> > kbld.exe |->> > duckduck.exe |->> > explorer .exe |->> > ~xxxxx |->> > oocfwm.exe |->> > gwigsb.exe |->> > jkexnj.exe |->> > lknq.exe |->> > kjnj.exe |-> |->All on one machine, or is that an assemblage of names from many of |->the victims? You see, most RATs can be renamed anything an |->"attacker" wishes and they work just the same. And most viruses will |->infect any file or will work regardless of the filename they run |->from. The same is true of most instances of file-borne malware, |->regardless of its purpose. Thus, filenames are very weak to useless |->diagnostics... |-> - From what I'm told this is an assemblage of the names of a few victims. Again I'm sorry I don't have access to the infected hosts so I don't have 1st hand knowledge of how this beasty makes the host react. But I'm trying to get access to an infected host. |->> The virus appears to infect Windows hosts regardless of the OS |->> version. It appears to alter the start menu items of infected hosts |->> and makes them look garbled. At this time I don't know how this |->> virus is spreading but I will let you know if I find out, none of |->> the hosts I have access to are currently infected but it appears to |->> be spreading through our sister network pretty quickly. |-> |->Given it hits all versions of Windows, and assuming you told us that |->because you have a fair sprinkling of different Windows versions |->(which seems likely for a .edu), I'd suggest that it is probably |->spreading through open or easily guessed or otherwise compromised |->common account or simply through the age-old "try for open shares" |->approach. |-> That is my 1st thought as well, I just haven't been able to confirm it yet. |->> Has anyone seen anything like this? Or recognize the signature |->> maybe? |-> |->All the time. |-> |->The odds are very high that they have been hit by some kind of bot- |->net, created from a raft of common system admin tools, possibly a IRC |->client (usually a renamed copy of mIRC), possibly an FTP server |->(ServU is popular for this), possibly a DDoS agent and/or some RAT |->(many RATs have DDoS functionality built-in) and a bunch of scripts |->(.BAT, .INI for the servers, etc), .REG files, and so on to "drive" |->it all. Also, of late, it is becoming increasingly common for these |->things to auto-detect _and_ auto-compromise further hosts (in the |->early days this was usually left as manual task for the bot-net |->owner). At least for ones that do not auto-spread, there is often |->little for virus scanners to detect, as the applications are |->"legitimate" so necessarily detecting them would be a false positive |->in many (probably most) situations) and the scripts are so malleable |->and variable that they are easily altered to achieve the same result |->but avoid detection. |-> |->> Any info would be greatly appreciated. |-> |->You say that NAV does not detect anything and that McAfee |->"mis-detects" Backdoor-JZ -- try sending them samples of the all the |->files that you suspect are related to this thing (from one machine) |->and see what their analysts say. In fact, you may prefer trying a |->few other AV companies too -- here is a list of the sample and |->suspect file submission addresses of the better-known AV developers: I only say mis-detects it since even when the McAfee AV scanner tells the admin the system as been cleaned it is reinfected after a reboot. I've asked them to try scanning in safe mode but as of yet have not heard if this has changed the reinfection situation |-> |-> Command Software <virusat_private> |-> Computer Associates (US) <virusat_private> |-> Computer Associates (Vet/EZ) <ipevirusat_private> |-> DialogueScience (Dr. Web) <Antivirat_private> |-> Eset (NOD32) <sampleat_private> |-> F-Secure Corp. <samples@f-secure.com> |-> Frisk Software (F-PROT) <viruslab@f-prot.com> |-> Grisoft (AVG) <virusat_private> |-> H+BEDV (AntiVir): <virusat_private> |-> Kaspersky Labs <newvirusat_private> |-> Network Associates (McAfee) <virus_researchat_private> |-> Norman (NVC) <analysisat_private> |-> Sophos Plc. <supportat_private> |-> Symantec (Norton) <avsubmitat_private> |-> Trend Micro (PC-cillin) <virus_doctorat_private> |-> (Trend may only accept files from registered users of its products) |-> |-> As soon as I get a copy of the files I'll fire them off to all the vendors who have asked for a copy as well as those listed here. Thanks again Nick, Cheers Danny -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPmk9oGb1zPz07fHgEQLnCwCfU+KFsroq7HXI+s9yNRG82mczeiQAnAvP BbukUGt0MHtlMIL8q0Hk1iSd =p0Dl -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 09:13:40 PST