Rob was kind enough to look into my problem and found it to be a bot which is spread via TCP 139.  No big alarm.  Thanks to all!
 
Dan
-----Original Message-----
From: Dan Lockwood
Sent: Saturday, August 02, 2003 12:59
To: NANOG
Subject: New or existing virus/vulnerability in Windows software?

Everyone,
 
We are having fits with a new? virus or vulnerability.  The simptoms are as follows: an executable saatg.exe "appears" in the startup folder of the All Users group and after a reboot launches itself.  It adds a registry entry under HKEY_LOCAL_MACHINE/Software/Microsoft/CurrentVersion/Run.  The executable shows under processes and seems to also launch additional processes, e.g. ~1.exe, ~2.exe, ~3.exe, etc.  I can not link any malicious activity to this behavior, but it seems to be spreading like wildfire on our network, apparantely with absolutely no user activity.  In testing I have do thus far it finds its was on to a _virgin_ system that has been installed disconnected from the network with CD media including all relevent security patches.  Panda anti-virus does not seem to detect it either.  It shows up on systems where there is no interactive login, e.g. servers, regular users, and users with elevated privelages.  Additionally once the executable is active is systematically searches for other systems to share the good news with on port TCP 135.  I am aware of the recent vulnerabilities from Microsoft regarding RPC and netbios, but again, the recommended security fixes do not seem to provide any relief.  Does anyone have any insight into what this thing is?  TIA
 
Dan Lockwood