From: Aron Roberts (aron_at_socrates.berkeley.edu)
Date: Mon Aug 04 2003 - 11:45:45 PDT
At 7:58 -0700 2003-08-04, I wrote:
> On Friday, August 1 at 13:13, Forrest Smalley wrote:
>
>>We seem to have a dozen or so computers that have probably have been
>>infected with a backdoor trojan. It seems to have written a directx.exe
>>file to c:\windows\system32 ... I'm guessing someone used the RPC
>>hole to infect the machines.
>>
>>The machines exhibit the symptoms of not being to log off or shutdown.
>>Killing the directx process allows this and kills the IRC channel 6667 that
>>it has opened up.
>
> Forrest's report of a directx.exe executable and of code that
>listens for commands on an Internet Relay Chat channel is confirmed
>by the following article ...
To be clear, Forrest's report and the article's description are
similar, but not identical. For this reason, it is possible that
there may be at least two exploits involved, or alternately that the
list of files identified in the aforementioned CNET article may be
incomplete.
Forrest mentions seeing a 'direct.exe' file modified at the same
time as an "RPC error in the system log" which appears to be clearly
associated with exploit-like behavior. However, the CNET article
describing one of the early DCOM RPC exploits does not mention a
'directx.exe' file by name, but rather six other files, whose names
are said to "include":
dcomx.exe
lolx.exe
rpc.exe
rpctest.exe
tftpd.exe
worm.exe
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Mon Aug 04 2003 - 11:53:25 PDT