RE: New virus outbreak.

From: Dave Duke (dave.dukeat_private)
Date: Fri Mar 07 2003 - 15:39:34 PST

  • Next message: Danny: "RE: New virus outbreak."

    I would be interested as a security person to test these viri against
    cybersight, does anyone have some examples of un-detected viri?
    
    
    Dave
    
    -----Original Message-----
    From: Danny [mailto:Dannyat_private] 
    Sent: 07 March 2003 22:42
    To: 'intrusionsat_private'
    Cc: 'incidentsat_private'
    Subject: New virus outbreak.
    
    
     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    
    Hey Guys,
    	   We have been alerted to a virus outbreak by one of our sister
    networks that appears to be new and undetected by Norton AV and is
    mis-detected by McAfee. McAfee detects this virus as backdoor-jz but is
    unable to clean the virus. Sorry I don't have a whole lot of details on this
    yet but here is a list of the files running on infected systems. 
    
    > 
    > These are the virus processes that we've seen running:
    > 
    > cbnegs.exe
    > Winlogon .exe
    > sjhdyl.exe
    > kbld.exe
    > duckduck.exe
    > explorer .exe
    > ~xxxxx
    > oocfwm.exe
    > gwigsb.exe
    > jkexnj.exe
    > lknq.exe
    > kjnj.exe
    
    The virus appears to infect Windows hosts regardless of the OS version. It
    appears to alter the start menu items of infected hosts and makes them look
    garbled. At this time I don't know how this virus is spreading but I will
    let you know if I find out, none of the hosts I have access to are currently
    infected but it appears to be spreading through our sister network pretty
    quickly.
    
    Has anyone seen anything like this? Or recognize the signature maybe? 
    
    Any info would be greatly appreciated.
    
    Cheers
    Danny
    Network Security Engineer
    Drexel University
    PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0 PGP Key:
    http://akasha.irt.drexel.edu/danny.asc
     
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0
    
    iQA/AwUBPmkhA2b1zPz07fHgEQItBwCbBxNG2j/HPrqgwAfoyZhMy4CXvp0AoMqM
    fACTSk3u63sEDW+okA5XssUL
    =D2mI
    -----END PGP SIGNATURE-----
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure">
    http://www.securityfocus.com/stillsecure </A>
    
    
    
    
    
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
    



    This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 09:36:12 PST