Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Posted: 9/23/2004 6:13:46 AM EST

Heads up...this appears to be a nasty one. I haven't been able to find any info on it anywhere, so it's a 0-day hit.

It appears to be spreading through DCOM/RPC, this INCLUDES patched machines. It's slicing through shit here like a blowtorch through butter. It's payload is an executable named "mntcgf032.exe", and it dumps it in c:\windows\system32 on win2k boxes and c:\windows\prefetch\<wherever past here>\ on xp boxes. Check startup registry entries; it adds itself there.

Like I said...including patched machines. It's smacking machines that were definitily patched with the latest sets of patches for XP and 2k.

Win2k3 appears to be "immune"; when the virus tries to propogate to those machines, it crashes RPC and just kills the box. It doesn't infect them, but it does kill them.

All you IT types, heads up...I haven't seen jack shit from Symantic on this....nothing's catching it so far. We're cleaning things manually, and it's re-infecting machines we've cleaned (and verified clean.)

Link Posted: 9/23/2004 6:30:12 AM EST
Nice.

I can expect my call volume to increase. I'll keep an eye out for it.
Link Posted: 9/23/2004 6:34:36 AM EST
We just bounced a copy of it to Symantec...they're working on it now.

FYI, right now, we have NO IDEA what this thing does. We do know network traffic goes through the roof. We don't know if it's goign to delete shit or what. It so far appears to be trying to share drives to the world? Sending some kind of data outside out network.

As a precaution we've basically turned every share we could read-only, and are waiting to see what Symantec says...
Link Posted: 9/23/2004 6:59:48 AM EST

Originally Posted By Evil_Ed:
It's payload is an executable named "mntcgf032.exe", and it dumps it in c:\windows\system32 on win2k boxes and c:\windows\prefetch\<wherever past here>\ on xp boxes. Check startup registry entries; it adds itself there.


My Win2K box has its OS in c:\winnt\ , not c:\windows\ . Correct?

Also, is the filename 9 characters long or 8? (Extra 0?) Just checking, since I'm letting others know.

This can't be -- Microsoft dedicated itself to securing its OS two years ago!
Dare I say . . . Knoppix?
Link Posted: 9/23/2004 7:05:32 AM EST
So how is this virus getting into your network?

Is it just spreading through DCOM/RPC once it's inside or is that how it's getting in as well?
Link Posted: 9/23/2004 7:11:34 AM EST

Originally Posted By 71-Hour_Achmed:
My Win2K box has its OS in c:\winnt\ , not c:\windows\ . Correct?

Also, is the filename 9 characters long or 8? (Extra 0?) Just checking, since I'm letting others know.

This can't be -- Microsoft dedicated itself to securing its OS two years ago!
Dare I say . . . Knoppix?



Winnt or windows, either one...I've only seen the XP versions of it.

And yes, the file name I typed is the file name it propogates, 9 characters. We sent it off to symantec and we're waiting for a reply.
Link Posted: 9/23/2004 7:12:22 AM EST

Originally Posted By NewbHunter:
So how is this virus getting into your network?

Is it just spreading through DCOM/RPC once it's inside or is that how it's getting in as well?



I don't know how it got in (perhaps a payload in an email, perhaps an infected web page)...all I know is that it got inside our firewall at one of our european locations, and then spread like wildfire from there.
Link Posted: 9/23/2004 8:14:02 AM EST
thanks for the heads up, please post any more details as you get them.
Link Posted: 9/23/2004 8:20:08 AM EST
ummmmmm I will say this one more time RUN LINUX!!!!!!!!!!!!!!!!!!!!!!!!!!!
Link Posted: 9/23/2004 8:26:25 AM EST
All hackers should fucking hang.
Link Posted: 9/23/2004 8:44:06 AM EST
[Last Edit: 9/23/2004 8:45:01 AM EST by GodBlessTexas]

Originally Posted By Charging_Handle:
All hackers should fucking hang.



Virus writers aren't hackers. Hell, most don't even write their code so that they're actually capable of doing the most damage they can. But more to the point, hackers don't do this type of shit. I'm a hacker and am fortunate enough to be paid to do it as my profession. Would you like to see me hang?

As far as how it got into your network, it could have been the GDI+ .jpg vulnerability that affects anything from MS that can do anything with .jpg image files. iDEFENSE released an alert at 2:15 AM CST this morning saying they had found exploit code in the wild that can execute cmd.exe on the viewing machine if they mouseover an image with IE. This could be how it got into your network, since the payload available in the exploit is a whopping 2500 bytes. That's enough space to put a lot of malicious shellcode.

Also, be suspect of any jpg files you get via MSN Messenger, since there's a new worm called Rayl.A that is using the GDI+ jpg. vulnerability to spread that way.

Remember the Alamo, and God Bless Texas...
Link Posted: 9/23/2004 8:44:49 AM EST
Any info on what it's called?
Link Posted: 9/23/2004 8:45:51 AM EST
Nothing yet...the guys who are handling this with Symantec haven't gotten back to me yet. Either they're busy fighting other fires, or they're taking a long lunch
Link Posted: 9/23/2004 8:48:23 AM EST
Whoops, spoke too soon...the guy who was in contact with Symantec left (his wife just went into labor), and the other guy I spoke to told me it's now morphing...different file names (ideXXXXXX.vxd was one of the file names, don't know the rest of the name, just ide 6 chars .vxd)...

I don't know what it does at this point other than to try and share files.

I'll keep y'all updated...
Link Posted: 9/23/2004 8:51:15 AM EST

Originally Posted By KC0CXA:
ummmmmm I will say this one more time RUN LINUX!!!!!!!!!!!!!!!!!!!!!!!!!!!



This is probably the 2nd most ignorant statement in the history of mankind.

Let's see you roll out a thousand linux desktops to your average financial institution end user and traders.

Sorry. That's about the quickest way to commit financial and instutional suicide that I know of.

Grow up some, learn about windows and other operating systems, then come back with your opinion. Thanks.

Link Posted: 9/23/2004 2:17:48 PM EST
Ok, looks like it IS using the dcom/rpc hole discovered last year...the reports here of machines that had been patched against it being infected, were wrong.

Regardless, it still is some new kind of worm using that hole. Something new. So, if you haven't patched against the dcom/rpc hole before...now there's a good new reason to. (I was wondering why all the boxes I ran didn't get infected but everyone else's did...I was told "because it hasent gotten to you yet!"...guess they were wrong, heh.)

Still waiting to hear back from Symantec as to what the new bug is...
Link Posted: 9/24/2004 3:35:59 AM EST

Originally Posted By Evil_Ed:

Originally Posted By KC0CXA:
ummmmmm I will say this one more time RUN LINUX!!!!!!!!!!!!!!!!!!!!!!!!!!!



This is probably the 2nd most ignorant statement in the history of mankind.

Let's see you roll out a thousand linux desktops to your average financial institution end user and traders.

Sorry. That's about the quickest way to commit financial and instutional suicide that I know of.

Grow up some, learn about windows and other operating systems, then come back with your opinion. Thanks.


Ed,

Glad to learn it's not a new vulnerability. Thanks for the updates.

However, regarding your above statements, I doubt very much that the average retarded MBA ( ) cares whether he's got Linux or Windows on his machine, just whether the application software is running properly. One of my former clients deployed their systems on NeXT, another on OS/2 machines, several on UNIX systems. None of the worker bees cared. Half of them probably couldn't tell the difference. If there was a reason to know, then proper training would take care of it.

As far as rolling out updates, Linux has some very nice tools to do remote updates. I've recently been working with Debian and Knoppix, for example. apt-get and aptitude are totally sweet (well, ok, the UI for aptitude could be nicer as a GUI) and function very efficiently. And Knoppix is essentially uninfectable since it runs off a CD (CD-R, CD-RW, take your pick) instead of a hard drive; if you discover a vulnerability, either do something to load patches automatically at bootup or burn a new CD. No problem.

Could you be more specific in your criticisms? I honestly don't know why your traders would care whether their machines were being powered by Linux penguins or MS roadkill.
Link Posted: 9/24/2004 5:37:49 AM EST

Originally Posted By Evil_Ed:
Ok, looks like it IS using the dcom/rpc hole discovered last year...the reports here of machines that had been patched against it being infected, were wrong.

Regardless, it still is some new kind of worm using that hole. Something new. So, if you haven't patched against the dcom/rpc hole before...now there's a good new reason to. (I was wondering why all the boxes I ran didn't get infected but everyone else's did...I was told "because it hasent gotten to you yet!"...guess they were wrong, heh.)

Still waiting to hear back from Symantec as to what the new bug is...



So, Ed, just out of curiosity was the problem that some of your personel didn't install thae patches at all, or was it that the patch install that MS sent out failed without the IT guys knowing, making them think those machines were protected?

Thanks for the update.
Link Posted: 9/24/2004 5:43:47 AM EST
Easy solution for this and the vast majority of viruses running around: turn off DCOM.

For more info, click here.
Top Top