Virus Advisory: April 2004 Archives

04/30/04 : W32.Beagle Variants and Zip Archives

04/20/04 : WINDOWS VIRUS ALERT: Gaobot Infections on Campus

W32.Beagle Variants and Zip Archives

Posted on April 30, 2004 08:16 AM

Mail messages infected with the latest Beagle variant are causing confusion for users on campus. The email attachment is a zip archive that is password protected. While this is not unusual for recent viruses, the Beagle.X implementation of the zip archive is unusual.

With this variant, the characteristics of the zip archives change constantly so the zip evades detection at the email virus scanning gateway. You may receive email with zip archive attachments that contain live Beagle.X code.

Fortunately, current Symantec Antivirus definitions detect the virus if the zip is extracted. Be sure that you have Symantec Antivirus installed with updated virus definitions, and never open unexpected attachments.

Contact the Help Desk if you need further assistance at 863-HELP or Help@brown.edu.

See further Beagle.X details.

Obtain Symantec's Beagle Removal Tools.

WINDOWS VIRUS ALERT: Gaobot Infections on Campus

Posted on April 20, 2004 02:14 PM

Importance: High

NOTE: There are a huge number of Gaobot variants in the wild. Several infections on campus have been identified as W32.HLLW.Gaobot (a/k/a Agobot.FO). Symantec definitions (4/20/2004 rev. 17)detect 77 variants at this time.

These bot infections are a clear demonstration of the importance of applying critical patches, properly configuring network shares, and keeping antivirus enabled and up to date. All of these variants leverage vulnerabilities at least 4 months old.

Affected OS
* Windows 2000
* Windows 95
* Windows 98
* Windows Me
* Windows NT
* Windows Server 2003
* Windows XP

Not Affected OS
* DOS
* Linux
* Macintosh
* OS/2
* UNIX
* Windows 3.x

How Do They Propogate
* Unpatched Microsoft vulnerabilities including 2003 RPC/DCOM vulnerabilities, WebDav, Messenger Service, et al.
* Weak or no share passwords
* Spread via network NOT email
* Observed infections resulted from unpatched vulnerabilities and/or weak share access controls

Risk
* High
* Machine is "owned" by attacker
* Remote access via IRC channel or other backdoor

Impact
* Numerous compromised machines in dorms and departments
* Network instability in one isolated department

Symptoms of Infected Machines
* Inbound control channel IRC traffic on 6667/tcp
* Steady outbound traffic on NetBIOS ports (445), Dameware (6129), Mydoom (3127), HTTP (80), Universal Plug and Play uPnP (5000), 2745/tcp etc.
* Typical packet size in 62 bytes

Remediation for Infected Users
* Machine should be reformatted and reloaded in order to come back on the network.
* CIRT tickets will be filed for detected infected machines.
* Vulnerability scans will be performed prior to machine unfilter.

Actions for All Users
* Verify that Symantec Antivirus definitions are up to date (4/20/2004 rev. 17)
* Verify that File System Realtime Protection is enabled (i.e. gold shield in system tray)

Handling
* All users who need assistance should contact the Help Desk at 863-HELP.

[an error occurred while processing this directive]
Virus Advisory: April 2004 04/30/04 : W32.Beagle Variants and Zip Archives 04/20/04 : WINDOWS VIRUS ALERT: Gaobot Infections on Campus W32.Beagle Variants and Zip Archives Posted on April 30, 2004 08:16 AM Mail messages infected with the latest Beagle variant are causing confusion for users on campus. The email attachment is a zip archive that is password protected. While this is not unusual for recent viruses, the Beagle.X implementation of the zip archive is unusual. With this variant, the characteristics of the zip archives change constantly so the zip evades detection at the email virus scanning gateway. You may receive email with zip archive attachments that contain live Beagle.X code. Fortunately, current Symantec Antivirus definitions detect the virus if the zip is extracted. Be sure that you have Symantec Antivirus installed with updated virus definitions, and never open unexpected attachments. Contact the Help Desk if you need further assistance at 863-HELP or Help@brown.edu. See further Beagle.X details. Obtain Symantec's Beagle Removal Tools. WINDOWS VIRUS ALERT: Gaobot Infections on Campus Posted on April 20, 2004 02:14 PM Importance: High NOTE: There are a huge number of Gaobot variants in the wild. Several infections on campus have been identified as W32.HLLW.Gaobot (a/k/a Agobot.FO). Symantec definitions (4/20/2004 rev. 17)detect 77 variants at this time. These bot infections are a clear demonstration of the importance of applying critical patches, properly configuring network shares, and keeping antivirus enabled and up to date. All of these variants leverage vulnerabilities at least 4 months old. Affected OS * Windows 2000 * Windows 95 * Windows 98 * Windows Me * Windows NT * Windows Server 2003 * Windows XP Not Affected OS * DOS * Linux * Macintosh * OS/2 * UNIX * Windows 3.x How Do They Propogate * Unpatched Microsoft vulnerabilities including 2003 RPC/DCOM vulnerabilities, WebDav, Messenger Service, et al. * Weak or no share passwords * Spread via network NOT email * Observed infections resulted from unpatched vulnerabilities and/or weak share access controls Risk * High * Machine is "owned" by attacker * Remote access via IRC channel or other backdoor Impact * Numerous compromised machines in dorms and departments * Network instability in one isolated department Symptoms of Infected Machines * Inbound control channel IRC traffic on 6667/tcp * Steady outbound traffic on NetBIOS ports (445), Dameware (6129), Mydoom (3127), HTTP (80), Universal Plug and Play uPnP (5000), 2745/tcp etc. * Typical packet size in 62 bytes Remediation for Infected Users * Machine should be reformatted and reloaded in order to come back on the network. * CIRT tickets will be filed for detected infected machines. * Vulnerability scans will be performed prior to machine unfilter. Actions for All Users * Verify that Symantec Antivirus definitions are up to date (4/20/2004 rev. 17) * Verify that File System Realtime Protection is enabled (i.e. gold shield in system tray) Handling * All users who need assistance should contact the Help Desk at 863-HELP.
[an error occurred while processing this directive]