Heads up! New Virus/Worm?

This is an FYI....

It appears to propagate similar to Netsky.v
Creates a folder in "program files" called "exit owns"
inside the folder are 3 executables:
"Frag.exe"
"ooze heart idol.exe"
and another which I didn't write down.

In this instance "ooze Heart Idol" was running as a service. (there was also a registry entry that had to be killed)

Ending this service allowed deletion of the exe files.

WE did various searches on the names mentioned above, and could find nothing on them.

Also TONS OF POPUPS, TONS of new "FAVORITES"
A bunch of bogus items in Add/remove programs.

Ideas anyone? anyone? Bueller?

Heres a few links containing info about the virus

www.sophos.com...
us.mcafee.com...

Whats interesting about this virus is that it launces Denial of Service attacks against sites such as www.kazaa.com and www.emule.de. Usually virii attack places like the RIAA or SCO, but this one attacks filesharing and software piracy related websites.

AlternateHeaven,

Thanks for the info, I've looked at those links, and they are close, but not quite what we've seen here.
Same M.O., but different files, and registry entries.
I'm continuing to see what I can find..I hope this isn't a false alarm, although you'd think there would be tons of info available if this one had been seen before..

Whats interesting about this virus is that it launces Denial of Service attacks against sites such as www.kazaa.com and www.emule.de.

Where is it beign circulated? Maybe the RIAA and the other big boys are tired of playing patty-cake...

DE

I'm in the Western US, our first and second occurance
were about 4:30 pm Pacific time

Hrm, you may also want to keep tabs on outgoing traffic, because the virus will no doubt try to propagate itself. Keep a close eye on firewall logs, and also on the general bandwidth of your connection, cause if it starts a DoS against a site you definately want to pull the plug.

Any ideas on where you got it? I'm on dial-up so my chances are slimmer of contracting it, but had some bad experiences with an exectutable freezer couple months ago.

Maybe the RIAA and the other big boys are tired of playing patty-cake...

I agree.... or maybe it's just somebody with a grudge. If it is the RIAA then we can probably expect to see several closely-related versions doing the same thing very soon.......

Right now,
Not sure of it's source. It appears to come in as
a failed message, like some of the other Netsky variants.

But, we are running a good virus scanner, with auto deployment of DAT files, they are up to date.
OUr Mail server is running it's own virus scanner on Linux
AND we are blocking Hundreds of subject lines, with an anti-spam filter. This is why I think it's new.
I'm lucky enough to work on SAturday, today.
I'll see if we've got any more instances of this.

Our perimeter monitoring systems have recorded a massive increase in scans for TCP port 5556.over the last 24 hours. I attribute it to Netsky variants, but I don't know why the sudden spike in activity. The email servers are not registering any increases in the amount of infected messages, so it looks like the P2P component is doing something different. strange...

Just a quick note: Like I always say, as an internet security expert: Dont open any emails with attachments from senders you dont know, or if you know the sender and the email is kind of odd DELETE IT right away! Ive been Virus free for 1 and a half years now....just keep following that rule and everything will be fine!
Best Regards
SP

Spectre.

You're the person who alerted me to the witty worm.
I got that one at home, you saved me a lot of time, no real data loss, just a pain, restoring from backups, thanks.

Regarding port 5556, same thing here. Well, at work really. Our spam assassin software is also blocking tons of subject lines for Netsky variants, more over the last two days, than the previous 10 days. Have you also noticed that this seems to be occuring on Fridays?
Are they trying to wear out us IT guys, or what?



One other thing, to other posters, Keep your preview pane closed if you are using OUTLOOK. These new variants don't require that you actually open the e-mail.

I am glad I could help, spacedoubt. We escaped serious harm from Witty, too. All those security alerts and firewall logs I wade through paid off. Netsky and its pals do seem to be designed to wear the IT community down until we all quit.
We also noticed that the big outbreaks and new releases of malicious code seem to come after close of business Eastern time on Fridays, when most staff have gone home. (I have always heard about these IT workers who go home at 5:00 but I have yet to meet one!) That is why I spend so much time monitoring on the weekends. Our email server uses a combo of AV/anti-spam/sofware IDS and is recording dramatically increased traffic since this morning. Spam and infected mail are now a whopping 80% of total messages processed. I am actually investigating a hardware option to block more of this traffic at the perimeter and take some load off the server. There was a huge increase in SQL Slammer Worm scans today, and I thought there might be a new version of that at large. Fortunately, it looks like there is just a high-bandwidth host in China that is infected and it has decided to pick on us for some reason. 720 port 1434 scans today, ugh...

Good advice about the preview pane. We have insisted that our users do away with that feature entirely.

Keep fightin' the good fight; let us know if anything interesting pops up.

message services

What can i do about message services popup's ,microsoft's telling me i have to update xp with patches ,but is there a switch or something in my internet options that i can adjust or something?,also do pop up blockers work,which one is the best?.

Originally posted by 37doowrehs
message services

What can i do about message services popup's ,microsoft's telling me i have to update xp with patches ,but is there a switch or something in my internet options that i can adjust or something?,also do pop up blockers work,which one is the best?.

Hi, 37doowrehs. If you have a firewall, hardware or software, block udp ports 1026 and 135. 135 should be blocked anyway since it is pretty dangerous. The built in firewall XP has is better than nothing and blocks these by default. You can also kill the "messenger" service (not to be confused with MSN Messenger) that is running on XP and 2000; it isn't much use to the home user anyway and that is what lets the message pop-ups through. Here is a link on how to kill it for the various flavors of Windows:
Disable Messenger Service

a how-to guide for XP's firewall:
Activate XP Firewall

You should certainly stay up to date on Microsoft patches regardless of pop-up spam (SPIM?) It is far too risky to get behind on them. Make sure you also have current antivirus, of course. Pop-up ad blockers are a matter of personal preference. I find them to be all about the same with regards to ease of use and effectiveness, so price might be the biggest consideration, IMO. The Google Toolbar is free and works well. The Mozilla browsers include built-in pop-up blockers and are free as well.

Good luck.

thanx Spectre,
I downloaded the patches and the message services popups are gone .later tonight i will check out the links about xp's firewall.
well gotta go back to work ,,later

Just a quick update.
We haven't seen any more instances of the worm that
caused me to start this thread.
However our 5556 ports are still busier than usual, not as bad as over the weekend, which leads me to believe
the source of a lot of this is home computers, as opposed to Office computers. Might explain the Friday night infections (that sounds sick!) as well.

Keep applying those patches!

Ladies and gentleman, place your bets on a new worm attack! Maybe i should post this in "Predictions"!

Over the weekend, and once today, my colleagues and I logged brief increases in scanning on ports tcp/1025, tcp/4000, tcp/3127, tcp/443, and tcp/1029. The scans originated mostly in Asia and were of very short duration, like someone was testing a distribution network. If I were a betting man, I would wager that this Friday after 5:00 pm Eastern time, someone is going to let loose their latest worm creation. I say that based on past observations. man, I hope I am wrong, but I am going to keep a close eye one things to see what develops.

[Edited on 26-4-2004 by Spectre]

Spectre,

Just confirming increase of portscans.
It was a short blast, lasting only 30 minutes or so.
On the evening of the 24th.

Yessir, a new worm, W32.Sasser, was launched sometime early Saturday morning. As expected, it takes advantage of the LSASS buffer overflow for which exploit code was released earlier this week. We have not seen any examples of this worm hitting out networks yet, but have erred on the side of caution and blocked TCP ports 5554 and 9996 inbound and outbound on all the routers. I put an update on the ATSNN thread.

www.abovetopsecret.com...

Spectre, you were right..
Good call.
We're up to date here.

Whats up for this Friday?