Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ICQ-Based Bizex Worm, MyDoom.F, Checking Your Server Logs - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ICQ-Based Bizex Worm, MyDoom.F, Checking Your Server Logs
ICQ-Based "Bizex" Worm

-----------------------------------------------------------

A new Win32 worm, aimed at users of the messaging software ICQ is making the rounds. The worm, dubbed "Bizex," is loaded onto a machine using a combination of ICQ behaviors and vulnerabilities in Internet Explorer and Windows when a user visits the site www.jokeworld.biz (currently unresolvable). Once executed, the worm then sends messages to ICQ contacts suggesting that they visit the JokeWorld site. The worm reportedly searches infected machines for specific financial information and installs a keylogger in an attempt to steal passwords. More information:



http://www.techweb.com/wire/story/TWB20040224S0006





MyDoom.F

-----------------------------------------------------------

Proving once again that human gullibility knows no bounds, the MyDoom.F email-based worm is slowly increasing in "popularity." Unlike its kinder and gentler MyDoom siblings, this one not only installs a backdoor and mailbombs the known world, but it has a nasty habit of randomly deleting files with specific extensions. More information:



http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.F



http://us.mcafee.com/virusInfo/default.asp?id=helpCenter&hcName=mydoom_f





Checking Your Server Logs

-----------------------------------------------------------

Earlier, we received a report from an admin who, looking through his webserver logs, was able to identify a compromised system that had been used as a "toolz" dump. This highlights again, the importance of regularly examining your web server logs for signs of malicious activity and following up on what you find there. Thanks to this admin's efforts, the owners of the compromised system were contacted and the dump was taken offline.



If you're not regularly checking your webserver logs, or if you're not sure what to look for, here is an excellent guide that explains not only what to look for, but also explains why it's important.



http://www.securiteam.com/securityreviews/6H00C1535K.html





-----------------------------------------------------------

Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )
Tom

160 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!