...worm... (?)

Discussion in 'NZ Computing' started by Peter Huebner, Jan 29, 2005.

  1. Somebody seems to have managed to get a worm past my firewall. The thing
    is called defragfat32pi.exe and resides in the system32 directory.
    Installs a registry key to get itself started.

    I caught it when it tried to call out. Snuffed it and submitted it to
    Symantec today.

    The slightly creepy thing is that there is a connection to 'remote
    procedure call'. I killed a process that was suspicious to me and the
    computer shut down with a 'warning' and countdown of 1 minute because
    rpc had been unexpectedly terminated.
    This has not recurred, however.

    Since then, svchost gets hit with a request for rpc on port 135 within a
    few seconds of my logging on to the net, which has me scratching my head
    and wondering if there is some component of this that I have not managed
    to eradicate.

    -P.
     
    Peter Huebner, Jan 29, 2005
    #1
    1. Advertising

  2. Peter Huebner

    Bret Guest

    On Sat, 29 Jan 2005 14:40:44 +1300, Peter Huebner
    <> wrote:

    >
    >Somebody seems to have managed to get a worm past my firewall. The thing
    >is called defragfat32pi.exe and resides in the system32 directory.
    >Installs a registry key to get itself started.
    >
    >I caught it when it tried to call out. Snuffed it and submitted it to
    >Symantec today.
    >
    >The slightly creepy thing is that there is a connection to 'remote
    >procedure call'. I killed a process that was suspicious to me and the
    >computer shut down with a 'warning' and countdown of 1 minute because
    >rpc had been unexpectedly terminated.
    >This has not recurred, however.
    >
    >Since then, svchost gets hit with a request for rpc on port 135 within a
    >few seconds of my logging on to the net, which has me scratching my head
    >and wondering if there is some component of this that I have not managed
    >to eradicate.


    W32/Rbot-QQ

    http://www.sophos.com/virusinfo/analyses/w32rbotqq.html
     
    Bret, Jan 29, 2005
    #2
    1. Advertising

  3. Peter Huebner

    Bret Guest

    On Sat, 29 Jan 2005 14:56:20 +1300, Bret <> wrote:

    >On Sat, 29 Jan 2005 14:40:44 +1300, Peter Huebner
    ><> wrote:
    >
    >>
    >>Somebody seems to have managed to get a worm past my firewall. The thing
    >>is called defragfat32pi.exe and resides in the system32 directory.
    >>Installs a registry key to get itself started.
    >>
    >>I caught it when it tried to call out. Snuffed it and submitted it to
    >>Symantec today.
    >>
    >>The slightly creepy thing is that there is a connection to 'remote
    >>procedure call'. I killed a process that was suspicious to me and the
    >>computer shut down with a 'warning' and countdown of 1 minute because
    >>rpc had been unexpectedly terminated.
    >>This has not recurred, however.
    >>
    >>Since then, svchost gets hit with a request for rpc on port 135 within a
    >>few seconds of my logging on to the net, which has me scratching my head
    >>and wondering if there is some component of this that I have not managed
    >>to eradicate.

    >
    >W32/Rbot-QQ
    >
    >http://www.sophos.com/virusinfo/analyses/w32rbotqq.html


    * The worm spreads to network shares with weak passwords and by using
    * the LSASS security exploit (MS04-011).

    Need a patch?
     
    Bret, Jan 29, 2005
    #3
  4. In article <>,
    says...
    >
    > * The worm spreads to network shares with weak passwords and by using
    > * the LSASS security exploit (MS04-011).
    >
    > Need a patch?


    Got the MS patch for lsass, installing as I am typing this - already
    killed the worm manually. Now I have an idea of how it got in, because I
    did lift the firewall on lsass for a while yesterday, while trying to
    troubleshoot my Ultra connection.

    If there is an installer still hidden on the system, it should show its
    ugly head some time. I was a little worried since I seem to get hammered
    on port 135 (and one instance of port 1024), whether or not my machine
    may be carrying a 'kick me' sign on to the net ;-).

    thx. -Peter
     
    Peter Huebner, Jan 29, 2005
    #4
  5. Peter Huebner

    Adder Guest

    In article <> in
    nz.comp on Sat, 29 Jan 2005 15:37:59 +1300, Peter Huebner
    <> says...
    > In article <>,
    > says...
    > >
    > > * The worm spreads to network shares with weak passwords and by using
    > > * the LSASS security exploit (MS04-011).
    > >
    > > Need a patch?

    >
    > Got the MS patch for lsass, installing as I am typing this - already
    > killed the worm manually. Now I have an idea of how it got in, because I
    > did lift the firewall on lsass for a while yesterday, while trying to
    > troubleshoot my Ultra connection.
    >
    > If there is an installer still hidden on the system, it should show its
    > ugly head some time. I was a little worried since I seem to get hammered
    > on port 135 (and one instance of port 1024), whether or not my machine
    > may be carrying a 'kick me' sign on to the net ;-).


    The lsass patch has been around quite a while, are you one of those
    "clever" users who has turned off auto updates?
     
    Adder, Jan 29, 2005
    #5
  6. Peter Huebner

    Invisible Guest

    On Sat, 29 Jan 2005 17:20:11 +1300, Adder <> wrote:

    >In article <> in
    >nz.comp on Sat, 29 Jan 2005 15:37:59 +1300, Peter Huebner
    ><> says...
    >> In article <>,
    >> says...
    >> >
    >> > * The worm spreads to network shares with weak passwords and by using
    >> > * the LSASS security exploit (MS04-011).
    >> >
    >> > Need a patch?

    >>
    >> Got the MS patch for lsass, installing as I am typing this - already
    >> killed the worm manually. Now I have an idea of how it got in, because I
    >> did lift the firewall on lsass for a while yesterday, while trying to
    >> troubleshoot my Ultra connection.
    >>
    >> If there is an installer still hidden on the system, it should show its
    >> ugly head some time. I was a little worried since I seem to get hammered
    >> on port 135 (and one instance of port 1024), whether or not my machine
    >> may be carrying a 'kick me' sign on to the net ;-).

    >
    >The lsass patch has been around quite a while, are you one of those
    >"clever" users who has turned off auto updates?


    I've done bugger all updates since installing SP1 a couple of years ago, can't
    say I've had any problems.
     
    Invisible, Jan 29, 2005
    #6
  7. Peter Huebner

    Mark S Guest

    What sort of firewall?

    If its a personal firewall then you've encountered the issue of the varying
    ranges of security settings Personal Firewall software has. Quite often to
    remain compatible with a LAN environment (such as a Windows network) you
    open yourself up to these sorts of worms.

    "Peter Huebner" <> wrote in message
    news:...
    >
    > Somebody seems to have managed to get a worm past my firewall. The thing
    > is called defragfat32pi.exe and resides in the system32 directory.
    > Installs a registry key to get itself started.
    >
    > I caught it when it tried to call out. Snuffed it and submitted it to
    > Symantec today.
    >
    > The slightly creepy thing is that there is a connection to 'remote
    > procedure call'. I killed a process that was suspicious to me and the
    > computer shut down with a 'warning' and countdown of 1 minute because
    > rpc had been unexpectedly terminated.
    > This has not recurred, however.
    >
    > Since then, svchost gets hit with a request for rpc on port 135 within a
    > few seconds of my logging on to the net, which has me scratching my head
    > and wondering if there is some component of this that I have not managed
    > to eradicate.
    >
    > -P.
     
    Mark S, Jan 30, 2005
    #7
  8. Peter Huebner

    Adder Guest

    In article <41fd4a84$0$94868$> in nz.comp on 30 Jan
    2005 15:01:10 -0600, Mark S <> says...
    > What sort of firewall?
    >
    > If its a personal firewall then you've encountered the issue of the varying
    > ranges of security settings Personal Firewall software has. Quite often to
    > remain compatible with a LAN environment (such as a Windows network) you
    > open yourself up to these sorts of worms.


    even if it is a,linux firewall it should still have the updates installed
    regularly
    such as by the auto updates schedule
    a firewall is only partial protection. viruses often use the various
    expliots and if they can get into an unpatched machine (entriely
    possible) they can cause a lot of trouble

    >
    > "Peter Huebner" <> wrote in message
    > news:...
    > >
    > > Somebody seems to have managed to get a worm past my firewall. The thing
    > > is called defragfat32pi.exe and resides in the system32 directory.
    > > Installs a registry key to get itself started.
    > >
    > > I caught it when it tried to call out. Snuffed it and submitted it to
    > > Symantec today.
    > >
    > > The slightly creepy thing is that there is a connection to 'remote
    > > procedure call'. I killed a process that was suspicious to me and the
    > > computer shut down with a 'warning' and countdown of 1 minute because
    > > rpc had been unexpectedly terminated.
    > > This has not recurred, however.
    > >
    > > Since then, svchost gets hit with a request for rpc on port 135 within a
    > > few seconds of my logging on to the net, which has me scratching my head
    > > and wondering if there is some component of this that I have not managed
    > > to eradicate.
    > >
    > > -P.

    >
    >
    >
     
    Adder, Jan 31, 2005
    #8
  9. Peter Huebner

    Mark S Guest

    Well, a Linux firewall is not a great solution.

    Might as buy a crappy $100 hardware firewall, they do a better job.

    "Adder" <> wrote in message
    news:...
    > In article <41fd4a84$0$94868$> in nz.comp on 30 Jan
    > 2005 15:01:10 -0600, Mark S <> says...
    > > What sort of firewall?
    > >
    > > If its a personal firewall then you've encountered the issue of the

    varying
    > > ranges of security settings Personal Firewall software has. Quite often

    to
    > > remain compatible with a LAN environment (such as a Windows network) you
    > > open yourself up to these sorts of worms.

    >
    > even if it is a,linux firewall it should still have the updates installed
    > regularly
    > such as by the auto updates schedule
    > a firewall is only partial protection. viruses often use the various
    > expliots and if they can get into an unpatched machine (entriely
    > possible) they can cause a lot of trouble
    >
    > >
    > > "Peter Huebner" <> wrote in message
    > > news:...
    > > >
    > > > Somebody seems to have managed to get a worm past my firewall. The

    thing
    > > > is called defragfat32pi.exe and resides in the system32 directory.
    > > > Installs a registry key to get itself started.
    > > >
    > > > I caught it when it tried to call out. Snuffed it and submitted it to
    > > > Symantec today.
    > > >
    > > > The slightly creepy thing is that there is a connection to 'remote
    > > > procedure call'. I killed a process that was suspicious to me and the
    > > > computer shut down with a 'warning' and countdown of 1 minute because
    > > > rpc had been unexpectedly terminated.
    > > > This has not recurred, however.
    > > >
    > > > Since then, svchost gets hit with a request for rpc on port 135 within

    a
    > > > few seconds of my logging on to the net, which has me scratching my

    head
    > > > and wondering if there is some component of this that I have not

    managed
    > > > to eradicate.
    > > >
    > > > -P.

    > >
    > >
    > >
     
    Mark S, Jan 31, 2005
    #9
  10. Peter Huebner

    AD. Guest

    On Mon, 31 Jan 2005 15:11:02 -0600, Mark S wrote:

    > Well, a Linux firewall is not a great solution.


    Yeah, use OpenBSD instead ;)

    --
    Cheers
    Anton
     
    AD., Jan 31, 2005
    #10
  11. Peter Huebner

    Mark S Guest

    LOL uh huh...


    "AD." <> wrote in message
    news:p...
    > On Mon, 31 Jan 2005 15:11:02 -0600, Mark S wrote:
    >
    > > Well, a Linux firewall is not a great solution.

    >
    > Yeah, use OpenBSD instead ;)
    >
    > --
    > Cheers
    > Anton
    >
     
    Mark S, Feb 1, 2005
    #11
  12. Peter Huebner

    Axle Guest

    Mark S wrote:
    > Well, a Linux firewall is not a great solution.
    >
    > Might as buy a crappy $100 hardware firewall, they do a better job.
    >


    Or even better, a Linksys WRT54G running a custom linux distro.
     
    Axle, Feb 1, 2005
    #12
  13. Peter Huebner

    Mark S Guest

    Exactly, the US Robotics routers also run a custom Busy Box Linux.


    "Axle" <> wrote in message
    news:...
    > Mark S wrote:
    > > Well, a Linux firewall is not a great solution.
    > >
    > > Might as buy a crappy $100 hardware firewall, they do a better job.
    > >

    >
    > Or even better, a Linksys WRT54G running a custom linux distro.
     
    Mark S, Feb 2, 2005
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. benrand
    Replies:
    0
    Views:
    453
    benrand
    Nov 21, 2003
  2. Lord Shaolin
    Replies:
    6
    Views:
    2,716
    John Tate
    Aug 20, 2003
  3. code_wrong

    worm/spybot.17.t (worm spybot 17t) detected by AVG

    code_wrong, May 15, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    817
    code_wrong
    May 15, 2004
  4. Imhotep
    Replies:
    4
    Views:
    746
    Edw. Peach
    Jan 30, 2006
  5. Danny

    Worm\Spybot (P2P-Worm.Win32.SpyBot.a)

    Danny, Aug 14, 2005, in forum: Computer Information
    Replies:
    0
    Views:
    546
    Danny
    Aug 14, 2005
Loading...

Share This Page