Category "Bot Outbreaks"

April 27, 2005

4/27/2005 run.exe

Date Discovered: 2005/04/27
Time Discovered: 10:45
Bot File Location: %WINDIR%\System32\run.exe
Size of Bot File: 102 KB (105,428 bytes) (Explorer may display 103 KB)
MD5 of Bot File: 771d8b21a0e09720984a2bdfc7ea31a6
Known method(s) of infection: MSN Messenger
SAV Status: Detected as W32.Gaobot.DEY as of 11:53 AM on 2005/04/27.
Installs Spyware?: Possibly
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM run.exe". Then delete the file.
Comments: Installs itself as hidden and read only, and changes its last modified date to match that of many other files. One sample machine displayed its modified date as 8/4/2004. Infected computers may also have additional malware loaded at C:\MSN.exe
Updated 12:10 2005/04/27 to reflect an update in AV status and spyware status

Posted by eckman at 10:52 AM | Bot Outbreaks

Category "Bot Outbreaks"

April 25, 2005

4/25/2005 kaspery.exe

Date Discovered: 2005/04/25
Time Discovered: 12:35
Bot File Location: %WINDIR%\System32\kaspery.exe
Size of Bot File: 146 KB (150,016 bytes) (Explorer may display 147 KB)
MD5 of Bot File: 06bafe6577034ef8173acf6687875ded
Known method(s) of infection: MS04-011 (LSASS), possibly others
SAV Status: Detected as of 2005/04/26 18:52 CDT.
Installs Spyware?: Possilby
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM kaspery.exe". Then delete the file.
Comments: Installs itself as hidden and read only, and changes its last modified date to match that of many other files. One sample machine displayed its modified date as 8/23/2001.
Updated 10:55 AM on 2005/04/27 to reflect AV status change

Posted by eckman at 12:59 PM | Bot Outbreaks

Category "Bot Outbreaks"

March 31, 2005

3/31/2005 climdrv.exe

Date Discovered: 2005/03/31
Time Discovered: 16:10
Bot File Location: %WINDIR%\System32\climdrv.exe
Size of Bot File: 125 KB (128,000 bytes)
MD5 of Bot File: d42940f78831462478cd26cbd28b92aa
Known method(s) of infection: MS03-026 (RPC DCOM), possibly others
SAV Status: Detected via RapidRelease definitions starting at 19:07 on 2005/03/31
Installs Spyware?: No
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM climdrv.exe". Then delete the file.
Comments: Computer should be formatted and reinstalled. This group often loads several other backdoors such as ServU FTP, Winshell and a telnet server. They likely extracted the password database from the computer. All passwords on the computer will need to be changed.
Updated 2005/04/01 14:10 eckman (SAV status update)

Posted by eckman at 4:24 PM | Bot Outbreaks

Category "Bot Outbreaks"

3/31/05 WSoundMngr.exe

Date Discovered: 2005/03/31
Time Discovered: 08:30
Bot File Location: %WINDIR%\System32\WSoundMngr.exe
Size of Bot File: 32.5 KB (33,280 bytes)
MD5 of Bot File: 72c10b91a4c328c55409205a6381aa88
Known method(s) of infection: AOL Instant Messenger (AIM) Away Message - manual infection
SAV Status: Detected as Backdoor.Sdbot beginning at 12:49 on 2005/03/31
Installs Spyware?: Not Immediately - Probably Soon
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM WSoundMngr.exe". Then delete the file.
Comments: Sets AIM away message to "New Pics From The Beach", followed by a URL to download this bot.
Updated at 16:23 by eckman (SAV status)

Posted by eckman at 8:53 AM | Bot Outbreaks

Category "Bot Outbreaks"

March 25, 2005

3/25/05 sys32.exe

Date Discovered: 2005/03/25
Time Discovered: 08:48
Bot File Location: %WINDIR%\System32\sys32.exe
Size of Bot File: 58.0 KB (59,392 bytes)
MD5 of Bot File: db44b1b86681866591c1f7f2b980fd61
Known method(s) of infection: LSASS (MS04-011)
SAV Status: Detected as W32.Mytob.K@mm
Installs Spyware?: Probably Not
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM sys32.exe", "taskkill /F /IM hellmsn.exe". Then delete the files.
Comments: Also installs malware at C:\hellmsn.exe (detected as W32.Mytob.L@mm) and puts copies of the bot (all detected as W32.Mytob.K@mm) at C:\see_this!!.scr and C:\my_photo2005.scr and C:\funny_pic.scr.

Posted by eckman at 9:09 AM | Bot Outbreaks

Category "Bot Outbreaks"

March 15, 2005

3/15/2005 RegistryManage.exe Again

Date Discovered: 2005/03/15
Time Discovered: 14:28
Bot File Location: %WINDIR%\System32\RegistryManage.exe
Size of Bot File: 90 KB (92,160 bytes)
MD5 of Bot File: b99485a75075a7b687f500002eaa1bb9
Known method(s) of infection: LSASS (MS04-011)
SAV Status: Detected in RapidRelease definitons as of 17:53, 2005/03/15
Installs Spyware?: Possibly
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM RegistryManage.exe". Then delete the file
Comments: Kills task manager process before you can kill it.
Updated 09:04 2005/03/16

Posted by eckman at 4:14 PM | Bot Outbreaks

Category "Bot Outbreaks"

3/15/05 RegistryManage.exe

Date Discovered: 2005/03/15
Time Discovered: 14:25
Bot File Location: %WINDIR%\System32\RegistryManage.exe
Size of Bot File: 88 KB (90,112 bytes)
MD5 of Bot File: d2d8e3413bafd26120934063e34b74d2
Known method(s) of infection: LSASS (MS04-011)
SAV Status: Detected as W32.Spybot.Worm in RapidRelease definitons as of 18:50 2005/03/15
Installs Spyware?: Possibly
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM RegistryManage.exe". Then delete the file
Comments: Kills task manager process before you can kill it.
updated 09:05 2005/03/16

Posted by eckman at 3:18 PM | Bot Outbreaks