|
-
January 30th, 2004, 09:16 PM
#1
VIRUS ALERT: W32.HLLW.Anig
Yep, another worm to be worried about.
Discovered on: January 29, 2004
Last Updated on: January 30, 2004 12:15:31 PM
Here is what Symantec has to say about it.
http://securityresponse.symantec.com...hllw.anig.html
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
January 30th, 2004, 09:23 PM
#2
Hmm so I dont get how its spread? port 5190
An AOL port, does that mean its checking the shares of users connected through AOL?
That which does not kill me makes me stronger -- Friedrich Nietzche
-
January 30th, 2004, 09:33 PM
#3
# Stores keystrokes and passwords collected in the file, %System\NTKBH32.dll.
# Opens up a backdoor on TCP port 5190 and listens for commands from the attacker.
I'd imagine it's for the "attacker" to collect whatever was recorded. He probably set it to 5190 so that admins wouldn't close off that port at their firewalls since quite a few allow IMing at work. Might also be to make it look like traffic for AIM. That way home users aren't suspicious.
-
January 30th, 2004, 09:34 PM
#4
More than likely it is using that port in attempts to hide the fact that it is actually a malicious service. Most people see 5190 and assume an end user is mucking around with AIM.
As a side note, this technique is a commonly used with setting up a NetCat listener. 
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
January 30th, 2004, 09:45 PM
#5
Thanks for the heads up, I was tooling around NAI.com getting pissed that McAfee hasn't posted it yet but they have it under a different name. Lol.
W32/Dfcsvc.worm
Edit/ Too asnswer the distribution method question
"The worm copies itself through ADMIN$ & IPC$ shares and installs on a remote machine.
Note: When successfully copied onto a remote machine, the worm is executed remotely as a service - the infected machine does not require reboot for the worm to be running.
After the first restart NTGINA.DLL recieves control as part of the WINLOGON.EXE process, and keylogging commences."
From NAI
-
January 30th, 2004, 09:53 PM
#6
So if I am understanding this correctly, the W32.HLLW is the mane name, and the .Anig describes the variant?
If that's the case, then this has been around awhile (not in this version obviously) 
Variations:
http://www.symantec.com/avcenter/ven...llw.bymer.html
http://securityresponse.symantec.com...fizzer@mm.html
So on the upside, it's never reached higher than a category 2. On the downside, some of the variants include a mass mailer...
So am I understanding this info correctly? Wouldn't be the first time I was full o' crap. 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
