When Worms Attack...
Monday, April 16, 2007
We're experiencing what can only be described as a Red-Alert day on the University network. We are seeing:
1) A Friday outbreak of the Peacomm / Nuwar / Storm Worm, which was contained and cleaned with some groans but not too much trouble.
2) A new outbreak of RinBot / DelBot, exploiting the Remote Buffer Overrun in outdated versions of Symantec AV. Though Symantec is responding to submissions with a link to Rinbot.A, this NEW variant (and believe me, it is a new variant) is not currently flagged by Symantec, and the associated files have little to no detection on VirusTotal / Jotti. In fact, the main Bot EXE is currently detected by NO ONE on Jotti, even using heuristics.
Files associated with the new RinBot outbreak:
mdnex.exe / U.exe
MD5: C1A6A22B2415BA608FB894B4E036E19C
199,680 bytes
| AntiVir | Found HEUR/Crypted |
| ArcaVir | Found nothing |
| Avast | Found nothing |
| AVG Antivirus | Found Win32/CryptExe |
| BitDefender | Found nothing |
| ClamAV | Found nothing |
| Dr.Web | Found BackDoor.IRC.Sdbot.1299 |
| F-Prot Antivirus | Found nothing |
| F-Secure Anti-Virus | Found nothing |
| Fortinet | Found nothing |
| Kaspersky Anti-Virus | Found nothing |
| NOD32 | Found nothing |
| Norman Virus Control | Found nothing |
| Panda Antivirus | Found nothing |
| Rising Antivirus | Found nothing |
| VirusBuster | Found nothing |
| VBA32 | Found nothing |
radi.exe
MD5: 06A57B1BB9DEFC0405B5E475F03FE99A
1,035 bytes / 4,096 on disk
| AntiVir | Found nothing |
| ArcaVir | Found nothing |
| Avast | Found nothing |
| AVG Antivirus | Found nothing |
| BitDefender | Found nothing |
| ClamAV | Found nothing |
| Dr.Web | Found nothing |
| F-Prot Antivirus | Found nothing |
| F-Secure Anti-Virus | Found nothing |
| Fortinet | Found nothing |
| Kaspersky Anti-Virus | Found nothing |
| NOD32 | Found nothing |
| Norman Virus Control | Found nothing |
| Panda Antivirus | Found nothing |
| Rising Antivirus | Found nothing |
| VirusBuster | Found nothing |
| VBA32 | Found nothing |
This is nasty, folks...RinBot is nothing to sneeze at. Anyone in a government / academic setting who runs Symantec Client Security or Corporate Edition, check you versions!
- David
Labels: worm
posted by David @ 11:30 AM,
