A trojan that deletes spyware? - More botnet fun - World record attempt
Anti Spyware Trojan?
As reported by ISC Handler Pat Nolan, a new trojan has been released into the wild that seems to terminate processes and delete files and registry keys known to be associated with adware products. More details are available at http://securityresponse.symantec.com/avcenter/venc/data/downloader.lunii.html
Botnets
We've received reports of a few new botnet infestations of the same critter Deb Hale reported in http://isc.sans.org/diary.php?date=2004-09-25 . Botnets are a perfect example of why you need to know what's normal on your network and what's not. Great job Dan and Mr. Anonymous Senior Analyst. ;)
Speaking of botnets ...
The ISC was alerted to a .jpg image file (thanks Mark!) that had an MS04-028 overflow which caused the machine to download and run an executable, jpeg.exe
jpeg.exe silently installs a service on the PC as well as a registry key to autorun at reboot, then goes out to an IRC site, notifies of the compromise and waits for commands.
Actions have been taken to have the offending site blocked.
AV scan results of jpeg.exe are as follows (from http://www.virustotal.com ):
Antivirus Version Update Result
BitDefender 7.0 10.05.2004 Backdoor.Hackarmy.1.Gen
ClamWin devel-20040922 10.05.2004 -
eTrust-Iris 7.1.194.0 10.04.2004 Backdoor/AZV.Variant
F-Prot 3.15a 10.05.2004 W32/Hackarmy.AJ@bd
Kaspersky 4.0.2.24 10.05.2004 Backdoor.Hackarmy.gen
McAfee 4396 09.29.2004 BackDoor-AZV.gen
NOD32v2 1.884 10.04.2004 probably unknown NewHeur_PE
Norman 5.70.10 09.30.2004 W32/Backdoor
Panda 7.02.00 10.04.2004 Bck/HackArmy.T
Sybari 7.5.1314 10.05.2004 Backdoor.Hackarmy.gen
Symantec 8.0 10.04.2004 -
TrendMicro 7.000 10.04.2004 -
Bellhops and luggage carts and sheets, oh my!
While SANS NS Las Vegas 2004 will remain firmly engraved in many people's memory, it hopefully won't be remembered for the record attempt mentioned previously, that eventually failed. We're happy to report that there were no serious injuries and that all handlers have (apparently) survived unharmed. It should be noted however that the handler attempting the record has not been heard from since just after the attempt when he was seen with several statuesque showgirls. Good luck Tom, wherever you are. ;)
Chris Carboni
Handler on Duty
As reported by ISC Handler Pat Nolan, a new trojan has been released into the wild that seems to terminate processes and delete files and registry keys known to be associated with adware products. More details are available at http://securityresponse.symantec.com/avcenter/venc/data/downloader.lunii.html
Botnets
We've received reports of a few new botnet infestations of the same critter Deb Hale reported in http://isc.sans.org/diary.php?date=2004-09-25 . Botnets are a perfect example of why you need to know what's normal on your network and what's not. Great job Dan and Mr. Anonymous Senior Analyst. ;)
Speaking of botnets ...
The ISC was alerted to a .jpg image file (thanks Mark!) that had an MS04-028 overflow which caused the machine to download and run an executable, jpeg.exe
jpeg.exe silently installs a service on the PC as well as a registry key to autorun at reboot, then goes out to an IRC site, notifies of the compromise and waits for commands.
Actions have been taken to have the offending site blocked.
AV scan results of jpeg.exe are as follows (from http://www.virustotal.com ):
Antivirus Version Update Result
BitDefender 7.0 10.05.2004 Backdoor.Hackarmy.1.Gen
ClamWin devel-20040922 10.05.2004 -
eTrust-Iris 7.1.194.0 10.04.2004 Backdoor/AZV.Variant
F-Prot 3.15a 10.05.2004 W32/Hackarmy.AJ@bd
Kaspersky 4.0.2.24 10.05.2004 Backdoor.Hackarmy.gen
McAfee 4396 09.29.2004 BackDoor-AZV.gen
NOD32v2 1.884 10.04.2004 probably unknown NewHeur_PE
Norman 5.70.10 09.30.2004 W32/Backdoor
Panda 7.02.00 10.04.2004 Bck/HackArmy.T
Sybari 7.5.1314 10.05.2004 Backdoor.Hackarmy.gen
Symantec 8.0 10.04.2004 -
TrendMicro 7.000 10.04.2004 -
Bellhops and luggage carts and sheets, oh my!
While SANS NS Las Vegas 2004 will remain firmly engraved in many people's memory, it hopefully won't be remembered for the record attempt mentioned previously, that eventually failed. We're happy to report that there were no serious injuries and that all handlers have (apparently) survived unharmed. It should be noted however that the handler attempting the record has not been heard from since just after the attempt when he was seen with several statuesque showgirls. Good luck Tom, wherever you are. ;)
Chris Carboni
Handler on Duty
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments