Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New Virus in the wild

  • From: Nils Ketelsen
  • Date: Tue Jan 18 09:06:18 2005

On Tue, Jan 18, 2005 at 02:48:55PM +0200, Gadi Evron wrote:
> Nils Ketelsen wrote:
> 
> > I still have no clue what is causing this, but I am pretty clueless when
> > it comes to Windows PCs anyway, and as you might have guessed: The PCs
> > making these connections are windows machines.
> 
> http://www.lurhq.com/baba.html
> 
> Thanks go to Joe Stewart from lurhq.


No, not it. Close but not exactly. I seem to be encountering a different
mutation of this Virus. First, the ports it is trying to connect
to are 25000-26000, second the timestamp in the URL seems to be missing in
the above description.

True is, that the infected file seems to be C:\csrss.exe. According to
McAfee Virus Scan (with the newest pattern file) this file was infected
with buchon.c. But the description does not fully match either. Anyways:
Killing the process and removing c:\csrss.exe helped. 

McAfee knows about this Virus since last week, but decided
it was not worth an update of their regular patterns. Thank you for this
policy of slow updates, I will see that I get a vendor that acts
in time, I guess.


Nils




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.