My Honeypot was infected with a new
self-replicating worm yesterday. It appears to check for open
win95/98/me netbios shares with read/write permission and installs wininit.exe
(the scanner/infector) and the distributed.net client (In quiet Mode).
Upon reboot, the scanner will start and search for infectable hosts
during periods of inactivity. The windows 2000 pro pc seems
unaffected. I will make the files available for dis-assembly if anyone
is interested.
To check for infection, look for the following
files in c:/windows/system
wininit.exe --Application
wininit.log --Apparent Log
file
info.dll --Apparent Log
file
dnetc.exe -- Distributed.net
client
dnetc.ini -- Distributed.net config
Buff-in.* -- Distributed.net work
units
ms216.exe -- Unknown, but the timestamp matched
the other files...