Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > ...worm... (?)

Reply
Thread Tools

...worm... (?)

 
 
Peter Huebner
Guest
Posts: n/a
 
      01-29-2005

Somebody seems to have managed to get a worm past my firewall. The thing
is called defragfat32pi.exe and resides in the system32 directory.
Installs a registry key to get itself started.

I caught it when it tried to call out. Snuffed it and submitted it to
Symantec today.

The slightly creepy thing is that there is a connection to 'remote
procedure call'. I killed a process that was suspicious to me and the
computer shut down with a 'warning' and countdown of 1 minute because
rpc had been unexpectedly terminated.
This has not recurred, however.

Since then, svchost gets hit with a request for rpc on port 135 within a
few seconds of my logging on to the net, which has me scratching my head
and wondering if there is some component of this that I have not managed
to eradicate.

-P.
 
Reply With Quote
 
 
 
 
Bret
Guest
Posts: n/a
 
      01-29-2005
On Sat, 29 Jan 2005 14:40:44 +1300, Peter Huebner
<(E-Mail Removed)> wrote:

>
>Somebody seems to have managed to get a worm past my firewall. The thing
>is called defragfat32pi.exe and resides in the system32 directory.
>Installs a registry key to get itself started.
>
>I caught it when it tried to call out. Snuffed it and submitted it to
>Symantec today.
>
>The slightly creepy thing is that there is a connection to 'remote
>procedure call'. I killed a process that was suspicious to me and the
>computer shut down with a 'warning' and countdown of 1 minute because
>rpc had been unexpectedly terminated.
>This has not recurred, however.
>
>Since then, svchost gets hit with a request for rpc on port 135 within a
>few seconds of my logging on to the net, which has me scratching my head
>and wondering if there is some component of this that I have not managed
>to eradicate.


W32/Rbot-QQ

http://www.sophos.com/virusinfo/analyses/w32rbotqq.html

 
Reply With Quote
 
 
 
 
Bret
Guest
Posts: n/a
 
      01-29-2005
On Sat, 29 Jan 2005 14:56:20 +1300, Bret <(E-Mail Removed)> wrote:

>On Sat, 29 Jan 2005 14:40:44 +1300, Peter Huebner
><(E-Mail Removed)> wrote:
>
>>
>>Somebody seems to have managed to get a worm past my firewall. The thing
>>is called defragfat32pi.exe and resides in the system32 directory.
>>Installs a registry key to get itself started.
>>
>>I caught it when it tried to call out. Snuffed it and submitted it to
>>Symantec today.
>>
>>The slightly creepy thing is that there is a connection to 'remote
>>procedure call'. I killed a process that was suspicious to me and the
>>computer shut down with a 'warning' and countdown of 1 minute because
>>rpc had been unexpectedly terminated.
>>This has not recurred, however.
>>
>>Since then, svchost gets hit with a request for rpc on port 135 within a
>>few seconds of my logging on to the net, which has me scratching my head
>>and wondering if there is some component of this that I have not managed
>>to eradicate.

>
>W32/Rbot-QQ
>
>http://www.sophos.com/virusinfo/analyses/w32rbotqq.html


* The worm spreads to network shares with weak passwords and by using
* the LSASS security exploit (MS04-011).

Need a patch?
 
Reply With Quote
 
Peter Huebner
Guest
Posts: n/a
 
      01-29-2005
In article <(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed)
says...
>
> * The worm spreads to network shares with weak passwords and by using
> * the LSASS security exploit (MS04-011).
>
> Need a patch?


Got the MS patch for lsass, installing as I am typing this - already
killed the worm manually. Now I have an idea of how it got in, because I
did lift the firewall on lsass for a while yesterday, while trying to
troubleshoot my Ultra connection.

If there is an installer still hidden on the system, it should show its
ugly head some time. I was a little worried since I seem to get hammered
on port 135 (and one instance of port 1024), whether or not my machine
may be carrying a 'kick me' sign on to the net .

thx. -Peter
 
Reply With Quote
 
Adder
Guest
Posts: n/a
 
      01-29-2005
In article <(E-Mail Removed). nz> in
nz.comp on Sat, 29 Jan 2005 15:37:59 +1300, Peter Huebner
<(E-Mail Removed)> says...
> In article <(E-Mail Removed)>, (E-Mail Removed)
> says...
> >
> > * The worm spreads to network shares with weak passwords and by using
> > * the LSASS security exploit (MS04-011).
> >
> > Need a patch?

>
> Got the MS patch for lsass, installing as I am typing this - already
> killed the worm manually. Now I have an idea of how it got in, because I
> did lift the firewall on lsass for a while yesterday, while trying to
> troubleshoot my Ultra connection.
>
> If there is an installer still hidden on the system, it should show its
> ugly head some time. I was a little worried since I seem to get hammered
> on port 135 (and one instance of port 1024), whether or not my machine
> may be carrying a 'kick me' sign on to the net .


The lsass patch has been around quite a while, are you one of those
"clever" users who has turned off auto updates?
 
Reply With Quote
 
Invisible
Guest
Posts: n/a
 
      01-29-2005
On Sat, 29 Jan 2005 17:20:11 +1300, Adder <(E-Mail Removed)> wrote:

>In article <(E-Mail Removed). nz> in
>nz.comp on Sat, 29 Jan 2005 15:37:59 +1300, Peter Huebner
><(E-Mail Removed)> says...
>> In article <(E-Mail Removed)>, (E-Mail Removed)
>> says...
>> >
>> > * The worm spreads to network shares with weak passwords and by using
>> > * the LSASS security exploit (MS04-011).
>> >
>> > Need a patch?

>>
>> Got the MS patch for lsass, installing as I am typing this - already
>> killed the worm manually. Now I have an idea of how it got in, because I
>> did lift the firewall on lsass for a while yesterday, while trying to
>> troubleshoot my Ultra connection.
>>
>> If there is an installer still hidden on the system, it should show its
>> ugly head some time. I was a little worried since I seem to get hammered
>> on port 135 (and one instance of port 1024), whether or not my machine
>> may be carrying a 'kick me' sign on to the net .

>
>The lsass patch has been around quite a while, are you one of those
>"clever" users who has turned off auto updates?


I've done bugger all updates since installing SP1 a couple of years ago, can't
say I've had any problems.


 
Reply With Quote
 
Mark S
Guest
Posts: n/a
 
      01-30-2005
What sort of firewall?

If its a personal firewall then you've encountered the issue of the varying
ranges of security settings Personal Firewall software has. Quite often to
remain compatible with a LAN environment (such as a Windows network) you
open yourself up to these sorts of worms.

"Peter Huebner" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) .co.nz...
>
> Somebody seems to have managed to get a worm past my firewall. The thing
> is called defragfat32pi.exe and resides in the system32 directory.
> Installs a registry key to get itself started.
>
> I caught it when it tried to call out. Snuffed it and submitted it to
> Symantec today.
>
> The slightly creepy thing is that there is a connection to 'remote
> procedure call'. I killed a process that was suspicious to me and the
> computer shut down with a 'warning' and countdown of 1 minute because
> rpc had been unexpectedly terminated.
> This has not recurred, however.
>
> Since then, svchost gets hit with a request for rpc on port 135 within a
> few seconds of my logging on to the net, which has me scratching my head
> and wondering if there is some component of this that I have not managed
> to eradicate.
>
> -P.



 
Reply With Quote
 
Adder
Guest
Posts: n/a
 
      01-31-2005
In article <41fd4a84$0$94868$(E-Mail Removed)> in nz.comp on 30 Jan
2005 15:01:10 -0600, Mark S <(E-Mail Removed)> says...
> What sort of firewall?
>
> If its a personal firewall then you've encountered the issue of the varying
> ranges of security settings Personal Firewall software has. Quite often to
> remain compatible with a LAN environment (such as a Windows network) you
> open yourself up to these sorts of worms.


even if it is a,linux firewall it should still have the updates installed
regularly
such as by the auto updates schedule
a firewall is only partial protection. viruses often use the various
expliots and if they can get into an unpatched machine (entriely
possible) they can cause a lot of trouble

>
> "Peter Huebner" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) .co.nz...
> >
> > Somebody seems to have managed to get a worm past my firewall. The thing
> > is called defragfat32pi.exe and resides in the system32 directory.
> > Installs a registry key to get itself started.
> >
> > I caught it when it tried to call out. Snuffed it and submitted it to
> > Symantec today.
> >
> > The slightly creepy thing is that there is a connection to 'remote
> > procedure call'. I killed a process that was suspicious to me and the
> > computer shut down with a 'warning' and countdown of 1 minute because
> > rpc had been unexpectedly terminated.
> > This has not recurred, however.
> >
> > Since then, svchost gets hit with a request for rpc on port 135 within a
> > few seconds of my logging on to the net, which has me scratching my head
> > and wondering if there is some component of this that I have not managed
> > to eradicate.
> >
> > -P.

>
>
>

 
Reply With Quote
 
Mark S
Guest
Posts: n/a
 
      01-31-2005
Well, a Linux firewall is not a great solution.

Might as buy a crappy $100 hardware firewall, they do a better job.

"Adder" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed). nz...
> In article <41fd4a84$0$94868$(E-Mail Removed)> in nz.comp on 30 Jan
> 2005 15:01:10 -0600, Mark S <(E-Mail Removed)> says...
> > What sort of firewall?
> >
> > If its a personal firewall then you've encountered the issue of the

varying
> > ranges of security settings Personal Firewall software has. Quite often

to
> > remain compatible with a LAN environment (such as a Windows network) you
> > open yourself up to these sorts of worms.

>
> even if it is a,linux firewall it should still have the updates installed
> regularly
> such as by the auto updates schedule
> a firewall is only partial protection. viruses often use the various
> expliots and if they can get into an unpatched machine (entriely
> possible) they can cause a lot of trouble
>
> >
> > "Peter Huebner" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) .co.nz...
> > >
> > > Somebody seems to have managed to get a worm past my firewall. The

thing
> > > is called defragfat32pi.exe and resides in the system32 directory.
> > > Installs a registry key to get itself started.
> > >
> > > I caught it when it tried to call out. Snuffed it and submitted it to
> > > Symantec today.
> > >
> > > The slightly creepy thing is that there is a connection to 'remote
> > > procedure call'. I killed a process that was suspicious to me and the
> > > computer shut down with a 'warning' and countdown of 1 minute because
> > > rpc had been unexpectedly terminated.
> > > This has not recurred, however.
> > >
> > > Since then, svchost gets hit with a request for rpc on port 135 within

a
> > > few seconds of my logging on to the net, which has me scratching my

head
> > > and wondering if there is some component of this that I have not

managed
> > > to eradicate.
> > >
> > > -P.

> >
> >
> >



 
Reply With Quote
 
AD.
Guest
Posts: n/a
 
      01-31-2005
On Mon, 31 Jan 2005 15:11:02 -0600, Mark S wrote:

> Well, a Linux firewall is not a great solution.


Yeah, use OpenBSD instead

--
Cheers
Anton

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments