Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Just Added - Trend Micro Advisory; Update on PHP worm spreading, Update on Meeneemee.exe, more on RootKitReveal SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Just Added - Trend Micro Advisory; Update on PHP worm spreading, Update on Meeneemee.exe, more on RootKitReveal
Regarding the report of a new PHP worm that we mentioned yesterday.
It is based heavily on the PhpInclude code on  site. It 
appears to be a variant of the ASW worm and is being used to drop
an IRC bot that is connecting to a server in Brazil. Google has
been notified. The worm doesn't appear to be identified by many AV
vendors yet however the bot is: (from VirusTotal)


Antivirus Version Update Result -
AntiVir 6.29.0.16 02.24.2005 no virus found
AVG 718 02.22.2005 PERL/ShellBot
BitDefender 7.0 02.24.2005 Backdoor.Perl.Shellbot.B
ClamAV devel-20050130 02.24.2005 Trojan.Perl.Shellbot.C
DrWeb 4.32b 02.24.2005 no virus found
eTrust-Iris 7.1.194.0 02.24.2005 no virus found
eTrust-Vet 11.7.0.0 02.24.2005 Perl.Shellbot.A
Fortinet 2.51 02.25.2005 no virus found
F-Prot 3.16a 02.24.2005 Unix/ShellBot.C
Ikarus 2.32 02.24.2005 Backdoor.Perl.Shellbot.A
Kaspersky 4.0.2.24 02.25.2005 Backdoor.Perl.Shellbot.a
NOD32v2 1.1007 02.23.2005 Perl.Shellbot.A
Norman 5.70.10 02.22.2005 no virus found
Panda 8.02.00 02.24.2005 no virus found
Sybari 7.5.1314 02.25.2005 Perl.Shellbot.A
Symantec 8.0 02.24.2005 IRC.Backdoor.Trojan


Two ports moving as one


An alert reader noticed that the number of targets for both
41523/TCP and 6504/TCP have been spiking pretty much in unison
over the last two weeks or so. Initial searches don't turn up much
on the uses for the ports. Some suggestions that 41523/TCP might
be Arcserve or InnoculateIT and that 6504/TCP might be NetOp. Any
information would be welcome.


What ever happened to....

I've gotten some questions about what Meeneemee.exe turned out to
be. The simple answer is that we never found a conclusive answer.
However, we have gotten a number of interesting observations:

Eric Tiesinga kindly gave us a possible translation of the word
from Dutch:

Mee --> With, like in "i take something with me"
Neem --> Take, like in "i take something with me"

The words "meeneem" could be a 1st verb of the full word
"meenemen" which could be translated as "take with (me)" like
(i go on a journey).



[Note: STOP! Before you send that email... yes, we *DO* know that it
could be an homage to Dr. Evil's vertically-challenged side-kick.
We knew that before we posted this. We actually *DO* manage to climb
out from under our rocks and see a movie every now and again...
Do you think we've been frozen for the last 30 years, baby? ;-) -TL]


Trend Micro A/V Vulnerable to ARJ Heap Overflow


Just got word that Trend Micro has joined the ranks of A/V 
vendors who have issued advisories and patches to fix an ARJ file
format parser vuln. From
... it is possible to
create a specially-crafted ARJ archive file that overwrites data
after the allocated 512-byte buffer. This specially-crafted
file could possibly execute an arbitrary code.

The original ISS X-Force advisory is referenced there, too.
Toby

68 Posts
Feb 25th 2005

Sign Up for Free or Log In to start participating in the conversation!