My Honeypot was infected with a new self-replicating worm yesterday. It appears to check for open win95/98/me netbios shares with read/write permission and installs wininit.exe (the scanner/infector) and the distributed.net client (In quiet Mode). Upon reboot, the scanner will start and search for infectable hosts during periods of inactivity. The windows 2000 pro pc seems unaffected. I will make the files available for dis-assembly if anyone is interested. To check for infection, look for the following files in c:/windows/system wininit.exe --Application wininit.log --Apparent Log file info.dll --Apparent Log file dnetc.exe -- Distributed.net client dnetc.ini -- Distributed.net config Buff-in.* -- Distributed.net work units ms216.exe -- Unknown, but the timestamp matched the other files...
On Fri, Sep 14, 2001 at 11:04:23AM -0500, Ejay Hire wrote:
My Honeypot was infected with a new self-replicating worm yesterday. It appears to check for open win95/98/me netbios shares with read/write permission and installs wininit.exe (the scanner/infector) and the distributed.net client (In quiet Mode).
Matches the MO of W32.HLLW.Bymer, a pretty old one that hit my parents' PC a while back: http://www.symantec.com/avcenter/venc/data/w32.hllw.bymer.html -- Jeff Gehlbach, Concord Communications <jgehlbach@concord.com> Senior Professional Services Consultant, Atlanta ph. 770.384.0184 fax 770.384.0183
participants (2)
-
Ejay Hire -
Jeff Gehlbach