Here's some info:
http://vil.nai.com/vil/content/v_141204.htm
http://vil.nai.com/vil/content/v_244825.htm
-- Update November 25th, 2009--
A new variant of W32/Fujacks.worm was identified with some new
characteristics. This variant is installed as a hidden service on the
infected system. The following activities were observed:
Disables Safe boot and Network boot modes
Create the following files:
* C:\WINDOWS\system32\dllcache\lsasvc.dll
* C:\WINDOWS\system32\[random_name].dll
* %TEMP%\Loopt.bat
where %TEMP% point to the temporary folder of the logged user.
This variant also drop a rootkit component to a file named %WINDOWS%
\Temp\nthid.sys and execute it as a service. The file is deleted after
run. We detect this rootkit as W32/Fujacks!rootkit.
The [random_name].dll is the hidden service which check for the
existence of lsasvc.dll and the rootkit component and drop them if they
are not running.
Create the following registry key to restart on reboot:
* HKLM\SYSTEM\CurrentControlSet\Services\[random_name]
where [random_name] is the same name as the file created above.
Create the following named pipes:
* \\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
* \\.\NtHid
Those pipes are used to communicate with the lsasvc.dll and the rootkit
component.
Modifies the content of %SYSTEM32%\drivers\etc\hosts to the following:
127.0.0.1 localhost
Regards,
Craig
On Sat, 2009-11-28 at 21:10 -0600, RandallM wrote:
> anyone have more info on what to look for? I don't want my Holiday
> season destroyed!
>
> China warns about return of destructive Panda virus
> The Panda Burning Incense worm had infected millions of Chinese PCs in
> early 2007
> By Owen Fletcher , IDG News Service , 11/27/2009
>
> http://preview.tinyurl.com/yfcfwyg
>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
