FW: New virus outbreak.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I figured this would be a more appropriate list for this query. Hopefully our moderator will see fit to push this through. Cheers,
Gryph

> -----Original Message-----
> From: Danny [mailto:Danny@drexel.edu]
> Sent: Saturday, 8 March 2003 8:42 AM
> To: 'intrusions@incidents.org'
> Cc: 'incidents@securityfocus.com'
> Subject: New virus outbreak.
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hey Guys,
> We have been alerted to a virus outbreak by one of
> our sister networks that appears to be new and undetected by
> Norton AV and is mis-detected by McAfee. McAfee detects this
> virus as backdoor-jz but is unable to clean the virus. Sorry
> I don't have a whole lot of details on this yet but here is a
> list of the files running on infected systems.
>
> >
> > These are the virus processes that we've seen running:
> >
> > cbnegs.exe
> > Winlogon .exe
> > sjhdyl.exe
> > kbld.exe
> > duckduck.exe
> > explorer .exe
> > ~xxxxx
> > oocfwm.exe
> > gwigsb.exe
> > jkexnj.exe
> > lknq.exe
> > kjnj.exe
>
> The virus appears to infect Windows hosts regardless of the
> OS version. It appears to alter the start menu items of
> infected hosts and makes them look garbled. At this time I
> don't know how this virus is spreading but I will let you
> know if I find out, none of the hosts I have access to are
> currently infected but it appears to be spreading through our
> sister network pretty quickly.
>
> Has anyone seen anything like this? Or recognize the signature maybe?
>
> Any info would be greatly appreciated.
>
> Cheers
> Danny
> Network Security Engineer
> Drexel University
> PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0
> PGP Key: http://akasha.irt.drexel.edu/danny.asc
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
>
> iQA/AwUBPmkhA2b1zPz07fHgEQItBwCbBxNG2j/HPrqgwAfoyZhMy4CXvp0AoMqM
> fACTSk3u63sEDW+okA5XssUL
> =D2mI
> -----END PGP SIGNATURE-----
>
> --------------------------------------------------------------
> --------------
>
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure">
> http://www.securityfocus.com/stillsecure </A>
>
>
> __________
> NOD32 1.371 (20030307) Information __________
>
> This message was checked by NOD32 Antivirus system.
http://www.nod32.com

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/

iQA/AwUBPmvKjaXCdiiQggjQEQK2gQCg7v+UJFUpugFj6Mjni6wRUVrcz+kAoPO/ 6QaRDepnJy/6tHChlSCy2/Bf
=vxro
-----END PGP SIGNATURE----- Received on Mon Mar 10 12:48:59 2003