Anyone seeing this? - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Anyone seeing this?

  1. #11
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    This thing definately reads a lot of directories and a lot of files... it also does some file creation and that's what I documented.

    Extract zip file
    single exe - f22-012.exe
    Run the EXE
    system32\winshost.exe is created
    ntuser.dat and ntuser.dat.log in c:\documents and settings\Administrator were changed
    HKLM\Software\Microsoft\Windows\CurrentUser\Run\winshost.exe added
    system32\config\software.log modified
    system32\wiwshost.exe created
    At this point explorer crashed and drwatson ran... The logs became so full that I couldn't follow it anymore.

    I had my subnet changed (in case it did any scanning/passing by looking at the current subnet range).. but I didn't see any network traffic..

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #12
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sorry Mate, I have a "drop-dead" rule on my gateway. All executables are stripped and sent to that big "bit-bucket" in the sky.
    Glad to see I'm not the only one with a no tolerance rule.... Works perfectly doesn't it?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #13
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Tiger Shark
    Glad to see I'm not the only one with a no tolerance rule.... Works perfectly doesn't it?
    Hey Hey,

    I can't understand why all companies don't have this in place... I really don't know why we don't have it.... Is there a company out there without this in place that can explain why you don't have it and your reasoning?

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #14
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Please.....


    Tiger isn't the only evil mean monster out there. I have about 35 file extensions that aren't allowed.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #15
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by thehorse13
    Please.....


    Tiger isn't the only evil mean monster out there. I have about 35 file extensions that aren't allowed.

    Hey TH13,

    Try and figure this one out.. we block access files (.mdb) but the virus infected exe in a zip file passes easily into our mailboxes.... How's that for a good corporate policy.

    Peace
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #16
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Tiger Shark
    Glad to see I'm not the only one with a no tolerance rule.... Works perfectly doesn't it?
    It does work perfectly, I have pissed a few people off but hey, thats what they pay me for.

    Cheers:
    DjM

  7. #17
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Ah.. It's the new Bagle variant.. Why didn't I notice this thread before

    http://www.antionline.com/showthread...r=1#post846896
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #18
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    I just wanted to thank you all for the early heads up on this. I was able to get a quick update and was prepared when the sucker started showing up in my area. Got 31 of the little buggers caught in quarrantine today. Way Cool!

  9. #19
    Junior Member
    Join Date
    Jul 2005
    Posts
    1
    While scanning HTRegz's attachment on http://virusscan.jotti.org , it found the Bagle worm

  10. #20
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    OLD THREAD: Sirdice commented 2 post and a month before of what the bug was.... Take close attention of the dates and READ THE WHOLE THREAD..

    Ah.. It's the new Bagle variant.. Why didn't I notice this thread before

    http://www.antionline.com/showthrea...er=1#post846896
    Oh sorry forgot: First post.. Wellcome to Antionline.. Please be sure to visit and READ the site FAQ.. and any Threads that may be "Sticky" that relate to posting on these here boards.. many of us are house trained.. some do bite.. so please becareful.. so to be safe please dont feed the animals..

    Thank you .. have a pleasent time here.. as we trust that we may enjoy your many future contributions..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides