Educause Security Discussion mailing list archives
**update** (was: Rash of seemingly "old" virii)
From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
Date: Thu, 10 Mar 2005 09:29:28 -0500
Just to update all of you. I worked with our Lab Manager (who is also our Sophos AV P.O.C.) to try to determine just what was going on with the machines in question. Below is the write-up that he sent Sophos; I have NOT included the the DLL (don't want to infect anybody AND it might not get thru the list) or ".REG" file because the DLL filename may not be the same in all instances. This one was a "toughie". If you would like the .DLL and/or .REG file(s) - PLEASE contact me off-list. I am not sure how valuable it/they will be, because I don't know what the vector was to "install" that DLL and hook it to Explorer. I would like to thank ALL of you, who responded, for your input - it was invaluable. I hope this saves SOMEONE some time and frustration. Begin forwarded message:
From: Paul J Smernoff <Paul.J.Smernoff () williams edu> Date: March 9, 2005 7:02:06 PM EST To: support () sophos com Subject: Possible virus attached We have recently quarantined a few of our student's Windows XP workstations as they were making massive requests of one of our web servers. We are not certain how these PCs were infected. One of our Admins believes the PCs in question may have been trying to exploit IIS server as they were looking for the file fp30reg.dll. We have scanned one of these systems with an already installed up-to-date Sophos Anti-Virus and found that the PC still exhibited the adverse behavior. Our use of Sysinternals TCPView demonstrated frequent scans of our network and the continued assault our DHCP server. I noticed the behavior would only stop when killing the windows shell explorer.exe. I ran tasklist /m against explorer.exe to see which dlls were associated with this process. I then compared the list of dlls with one from a clean PC. The attached DLL is the only one that was highly suspect as I could not find any reference to it on the Internet. In addition, this file was not found on the system initially even when searching the entire disk for hidden and system files. The attached .reg file contains the registry reference to the file. Once removed, I rebooted and found the file in c:\windows\system32. The attacks against our web server ceased. I have since scanned the file with Panda ActiveScan and it is reported as a virus - Poxdar.B. I hope an IDE can be had soon. Please reply with any updates. Thanks, Paul -- Paul Smernoff Networks & Systems Office for Information Technology Williams College
PeteC Peter Charbonneau Sr. Network and Systems Administrator Williams College (413) 597-3408 (desk) (413) 822-2922 (cell) ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- **update** (was: Rash of seemingly "old" virii) Peter Charbonneau (Mar 10)