A lot of my work time this week was spent in tracking down and eliminating
this virus on our network. Here are three important bits of information
about it:
1. It spreads via Windows 2000/XP file-sharing, using TCP port 445, and a
list of passwords to try. Machines running any other version of Windows are
not affected. Machines with good passwords are immune. Machines behind
firewalls that block this port are never exposed to it. (My work machine
was getting infection attempts 2-3 times an hour all week, from all over the
Internet, so obviously a lot of 2000/XP machines are exposed and vulnerable.)
2. The worm -- the part that spreads from machine to machine -- installs a
bunch of malware, including a version of VNC configured as a trojan/backdoor
(listening for connections to TCP ports 5800 and 5900 -- netstat will show
the machine listening to these ports) and a "Distributed Denial-of-Service"
attack tool (many infected machines can be told, simultaneously, to flood
some Internet address with traffic).
These pieces are installed in the Windows "fonts" directory. Windows
Explorer (at least on 2000/XP) knows that this directory is special: to
"avoid confusing the user", it displays only the *font* files that it finds
in this directory. I believe that using "dir" from the command line gets
around this.
3. Norton included detection of this virus in LiveUpdate a week ago or so.
But -- at least in their initial attempt at it -- this just quarantines the
worm portion, and does nothing about the malware that the worm installed.
In medical terms, if Norton says it found this virus and dealt with it, your
machine is no longer infectious, but it MAY still be contaminated.
I don't know if this applies to any other antivirus products. I suspect
that most, if they find VNC, will assume it's a legitimate application and
may not recognize this configuration as turning it into malware.
David Gillett
PCSOFT's List Owner's:
Bob Wright<[log in to unmask]>
Drew Dunn<[log in to unmask]>
|
