Subject: RE: RE: New Worm/Virus April 8th

Sounds exactly like a variant of W32/Agobot-EL (now that I know what it is).
They are almost identical.

Thanks!

New Worm/Virus April 8th

Could it be a variant of:

W32/Agobot-EL

Sherman

Subject: RE: RE: New Worm/Virus April 8th

Not as far as I know, no av that I tried recognized it. (Sohpos, Kapersky,
NAI, CA, Symantec)

Mailing-List: contact bugtraq-help

I know that it is bad form to reply to your own post, but here it goes
anyway:

There is an accompanying file called nwiz.exe in the \Winnt folder.

The worm/virus writes the following to an infected machines hosts file

127.0.0.1 www.symantec.com

127.0.0.1 securityresponse.symantec.com

127.0.0.1 symantec.com

127.0.0.1 www.sophos.com

127.0.0.1 sophos.com

127.0.0.1 www.mcafee.com

127.0.0.1 mcafee.com

>27.0.0.1 liveupdate.symantecliveupdate.com

127.0.0.1 www.viruslist.com

127.0.0.1 viruslist.com

127.0.0.1 viruslist.com

127.0.0.1 f-secure.com

127.0.0.1 www.f-secure.com

127.0.0.1 kaspersky.com

127.0.0.1 www.avp.com

127.0.0.1 www.kaspersky.com

127.0.0.1 avp.com

127.0.0.1 www.networkassociates.com

127.0.0.1 networkassociates.com

127.0.0.1 www.ca.com

127.0.0.1 ca.com

127.0.0.1 mast.mcafee.com

127.0.0.1 my-etrust.com

127.0.0.1 www.my-etrust.com

127.0.0.1 download.mcafee.com

127.0.0.1 dispatch.mcafee.com

127.0.0.1 secure.nai.com

127.0.0.1 nai.com

127.0.0.1 www.nai.com

127.0.0.1 update.symantec.com

127.0.0.1 updates.symantec.com

127.0.0.1 us.mcafee.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 customer.symantec.com

127.0.0.1 rads.mcafee.com

127.0.0.1 trendmicro.com

127.0.0.1 www.trendmicro.com

I also noticed that the fully patched and av protected machines that were

infected had lame administrator passwords (and the account "Administrator"

had not been renamed), which is the most likely point of compromise.

All in all not something to worry about unless you dont have MS03-039 or

use 123456 as your admin password



Subject:New Worm/Virus April 8th

Concerning the new worm type infection spreading around today (6:15am EST)

the file is called ndemon.exe (.99k) and it puts itself into c:\winnt and

c:winnt\system32. Registry entries

HKLM\Software|Microsoft|CurrentVersion\Run and

HKLM\Software|Microsoft|CurrentVersion\RunServices (Think it creates that

one).

At first look:

it then tries to propagate itself via MS ports 135, and 139 VIA known

flaws and password guessing. It also listens for other infected machines

on port 1025 and scans for MS IIS boxes on port 80 (to try known exploits

as well)

The infected machines were win2k SP4 (fully Patched) Running Symantec AV
v8.6

Just a heads up

Sherman Hand
Manager, Internet Policy Enforcement Team
Surveillance Center
Adelphia Communications