The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24\Blackworm)

Prepraring for Feb 3rd(CME-24) (NEW)

Published: 2006-02-02,
Last Updated: 2006-02-02 16:07:43 UTC by Pedro Bueno (Version: 1)
Prepraring for Feb 3rd(CME-24)

We received a lot of suggestions about measures against CME-24. In other words,
how to prepare for Feb 3rd, in despite of the Anti-virus.

What follows bellow is a compiled list of those. Some were tested, but some not.

- The rule bellow, made by Per Kristian Johnsen with Telenor Security Center,
is said to detect attempts to copy WINZIP_TMP.exe to shares. According to the author,
they are being able to detect infected machines where the already published
snort/sourcefire rule couldn’t:

alert tcp any any -> any 135:139 (msg:”Nyxem attempting to copy WINZIP_TMP.exe to shares”; flow:to_server,established; content:”|57 00 49 00 4e 00 5a 00 49 00 50 00 5f 00 54 00 4d 00 50 00 2e 00 65 00 78 00 65|”; reference:url,www.lurhq.com/blackworm.html; classtype:trojan-activity; sid:5000173; rev:1;)

- We had another user that used sms to scan drives files with a size of 95,690 named (Bloggers note: I have been doing this query too, but missed the files size part)

%Windir%\Rundll16.exe
%System%\scanregw.exe
%System%\Winzip.exe
%System%\Update.exe
%System%\WINZIP_TMP.EXE
%System%\SAMPLE.ZIP
%System%\New WinZip File.exe
movies.exe
Zipped Files.exe

- A security Dweeb at a large California municipal government agency wrote a batch script that:

“1) looks for the infected file names existence
on %windir% and %sysdir% using simple DIR /B commands. Output is sent to
uniquely named text file (with a non-standard extension). Infected
workstations will show a non-zero file size. Batch file is below; uses
environment vars that are unique to user and computer name.
2) The batch file will be placed in the login script for all
computers.
3) Ensure that verified backups are completed tonight (Wed).

Batch file:
@echo off
dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
dir  /b %WinDir%\system\Update.exe  >> %username%_%computername%.rgh
dir /b  %WinDir%\system\scanregw.exe  >> %username%_%computername%.rgh
dir  /b %WinDir%\Rundll16.exe  >> %username%_%computername%.rgh
dir  /b %WinDir%\winzip_tmp.exe  >> %username%_%computername%.rgh
dir  /b c:\winzip_tmp.exe  >> %username%_%computername%.rgh
dir  /b %Temp%\word.zip                                        .exe  >>
%username%_%computername%.rgh

Although dangerous, we think we have a very low chance of a problem.
According to LURQ, there are only 15K computers in US that have
contacted the “counter” site. And we have other protections in place
(blocking of all executables in mail attachments, current anti-virus
updates, etc.)”

—————————————————————–
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org )

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

About these ads

February 2, 2006 - Posted by | Antivirus News

2 Comments »

  1. [...] the original post: SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24Blackworm) Category : [...]

    Pingback by SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24Blackworm) | Antivirus Firewall Software Reviews | October 31, 2009 | Reply

  2. [...] de turno: Pedro Bueno (pbueno / / && / / isc. sans. org) version original aqui [...]

    Pingback by SANS – Internet Storm Center – Prepraring de 3rd(CME-24Blackworm) de Feb | ANTIVIRUS | February 20, 2012 | Reply


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: