Well, since it took a few days for this to hit the forum, a lot more information has come out. Looks like a combination of a few things, and get ready world, it's a lot of fun to clean up after. Key to it all...Patch Management 101. Due to acquisitions of companies and outside vendors dropping in to say "hi", you'll find you can't get it all, but containment isn't to far off.
Large growth in Korgo virus: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci9 69764,00.html?track=NL-358&ad=484914 The smsc.exe variant trojan http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V name=WORM_AGOBOT.WF >From the looks of our infection, we had Sasser and RPC to get in, then we had the Trojan irc bot trying to get out and something doing mass SNMP gets to all devices. Everything was contained to an internal class B network except for the irc bot. The Sasser signature is what triggered very high, other signatures won't be near as high as they are backups to the first method of entry. We had a small infestation and got lucky (about 40 machines out of 7000+), but we did need to drop each machine to safe mode and off network to patch and clean, meaning many man hours and lots of remote on the phone with non IT people (FUN!). Thanks, till next time! Erin -----Original Message----- From: InfoSec Sent: Thursday, June 10, 2004 5:14 PM To: [EMAIL PROTECTED] Subject: [ISSForum] New Sasser variant? Is anyone else experiencing large amounts of traffic that appears as Sasser, then turns into an ircbot.trojan named smsc.exe connecting on port 6667, then performs HUGE amounts of SNMP get requests? <grin> I am, and very few people seem to have any clue what this is...Virus companies are jumping around trying to define and be first in line with a solution, I just wondered if anyone on this forum has seen it yet? ISS sigs triggering thus far are: MSRPC_LSASS_Bo TCP_Network_Scan MSRPC_LSASS_Request_Detected Microsoft_Windows_Shell_Banner (others have been turned off due to sheer volume) Thanks, Erin _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
