Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-04-23 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Problem with Trend Micro Virus Sig 594; Trojan Vundo; Update on Problem with MS05-019; Phishing Site?; DNS Poisoning

Published: 2005-04-23
Last Updated: 2005-04-24 03:40:13 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
We have an early diary today but don't forget to take a look at yesterday diary on DNS problems at Network Solutions; Potential Problems with MS05-019; Filtering SSL.

Trend Micro Virus Sig 594 causes systems to experience high CPU utilization

We have received a few reports from our readers (in particular, thanks to Brad, Anthony and those who prefer to be anonymous) that there are some issues in Trend Micro Virus Sig 594.

All Win 2003 Servers & XP machines with virus sig 594 will cause the systems to experience high 100% CPU utilization.

Apparently, this is due to incompatibility between the scanning engine, the sig file and the platforms.

Trend Micro has provided a new sig 596 to solve this issue.

If you are using Trend Micro antivirus products and your system suddenly lockup, you may want to check this out.

I guess it is a very bad day for those who are using Trend Micro products. Several readers wrote in to say that they were clueless about the "sudden dead" of their systems. It took them several hours and pain to diagnose the problem until they hit our website to spot on the cause. We must thank all our readers who have informed us early so that we can share with the rest of the community as well.

One reader has shared with us that if customers are using Trend OfficeScan and have Outbreak Prevention Services, they can activate Outbreak mode on the server. This will lock down the firewall on the client machines and allow them to only communicate with the OfficeScan server. The reduction in network traffic being processed by the client should allow enough CPU usage to download (albeit, slowly) the update from the server. This could take several hours depending on the number of clients. But if it works, it keeps you from having to touch all 100's, 1000's, or 10's of thousands of clients.

For more information to resolve this issue, please refer to:

Trojan Vundo

We are seeing apparently a new variant of Trojan Vundo. Symantec has yet to detect it but there is a writeup on it.

The file matches the description except that the systems were patched for MS04-040.

Below is the result of from VirusTotal scan:

Antivirus Version Update Result
AntiVir 04.22.2005 TR/Agent.CS
AVG 718 04.21.2005 Agent.U
BitDefender 7.0 04.23.2005 no virus found
ClamAV devel-20050307 04.22.2005 no virus found
DrWeb 4.32b 04.22.2005 Trojan.Virtumod
eTrust-Iris 04.23.2005 Win32/Vundo.AD!DLL!Trojan
eTrust-Vet 04.22.2005 Win32.Vundo.AD
Fortinet 2.51 04.23.2005 W32/Agent.FZ-tr
F-Prot 3.16b 04.22.2005 no virus found
Ikarus 2.32 04.22.2005 Trojan.Win32.Agent.CS
Kaspersky 04.23.2005 Trojan.Win32.Agent.cs
McAfee 4475 04.22.2005 Generic BackDoor.d
NOD32v2 1.1075 04.23.2005 Win32/Agent.CS
Norman 5.70.10 04.20.2005 no virus found
Panda 8.02.00 04.22.2005 no virus found
Sybari 7.5.1314 04.23.2005 Win32.Vundo.AD
Symantec 8.0 04.22.2005 no virus found
VBA32 3.10.3 04.22.2005 Trojan.Win32.Agent.cs

Let us know if you have experienced the same Trojan.

Update on Problem with MS05-019

Yesterday, we mentioned in our diary that there may have network connectivity problem when applying MS05-019 patch. Microsoft has published an article revealing that network connectivity between clients and servers may fail when applying MS05-019 patch or Windows Server 2003 Service Pack 1. Accordingly to the article, the following symptoms may occur:

* Inability to connect to terminal servers or to file share access.

* Failure of domain controller replication across WAN links.

* Microsoft Exchange servers cannot connect to domain controllers.

If you experience similar issue, you may want to check out the article at:

Phishing Site?

One reader received a virus email alert with instructions on how to secure the system. It points you to an "anti-virus" website to purchase an anti-virus scanner to protect your system. The website is pretty simple with a virus alert but no virus information. It definitely looks phishy to me:

DNS Poisoning

A few readers have informed us they still experience DNS poisoning. We will provide more information when available. If you still encounter the same issue, drop us a note.

0 comment(s)
Diary Archives