Sorry - my mailer did something stupid. Here's what was sent, and more comments at the bottom:
To: cert@cert.org CC: abuse@ucla.edu Subject: Attn: Bob - Dust.exe
CC'd to abuse@ucla.edu - UCLA, your option "2" for your abuse desk rings to an invalid number. On Monday morning a bunch of our Win2k PC's got infected with a virus. We are seeing the infected machines attempting to make FTP connections to various IP's - the one's I've seen so far are in UCLA and MIT address space. The client connects to the FTP server (all have been Serv-U running under Windows), logs in with username "1", password "1", and retrieves Dust.exe Some of the IP's I've seen connections to: 18.242.5.42 (MIT) 18.241.5.89 (MIT) 169.232.117.223 (UCLA) The Dust.exe process attempts to install infected files named Jah.exe and Gamma.exe Jah is detected by Trend as WORM_RBOT.alo Gamma is detected as "possible virus". Starting this morning Trend started detecting Dust as TROJ_SCNDTHOT.ab When the machine tried to download it from MIT, Trend caught it as above. When it tried to UCLA, Trend did not catch it, and the download succeeded. When this hit on Monday, we saw infected PC's trying to infect other machines over tcp/445. They were trying random IP's in the address space that the infected computer was configured in. We did not see any FTP connections Monday morning like these, however we weren't really looking for them. -- END -- After this was sent, I've found some more details. The Dust.exe file is also being served by IP's at ThePlanet and ncsd.edu. The file from UCLA is about 5K bigger than the files served by the other sites. This explains why Trend was catching it when served by MIT but not by UCLA. After some more investigation, it looks like an infected machine uses a tcp/445 vulnerability to infect others. Once the others are hit on 445, they are instructed to download the payload from these FTP sites. I've made copies of the files available to CERT. I'm waiting on Trend to react to our support request from this morning.