ShockRave Worm Intrusion

Brought to you by: ffes

#33 ShockRave Worm Intrusion

Status: open

Owner: nobody

Labels: None

Priority: 7

Updated: 2006-01-22

Created: 2005-09-03

Creator: Damian Parker

Private: No

Yo!

Ive been using Dorgem for about 2 days now on Windows
XP. Tonight literally just a few minutes ago my Norton
Anti-Virus pops up and says its detected and blocked a
Internet Worm Intrusion attempt ShockRave something or
other and listed Dorgem as its gateway onto the machine.

Has this been heard of before?
Should we Dorgem users be worried?

Discussion

Damian Parker - 2005-09-03

summary: ShockWave Worm Intrusion --> ShockRave Worm Intrusion
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Fesevur - 2006-01-03

Logged In: YES
user_id=169016

I assume this is a problem with Norton AV

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Fesevur - 2006-01-03

status: open --> closed-invalid
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Damian Parker - 2006-01-03

Logged In: YES
user_id=458483

Unfornately not, after reading through some other google
results it seems there is a hole in this software. As its
happened to numerous others.

Fortunately for me Im back on Gentoo and have no need to use
this.

Norton detected the virus incoming, and listed Dorgem as its
medium onto my system.

Cheers

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Fesevur - 2006-01-04

Logged In: YES
user_id=169016

Then I'll re-open it.

When I google "shockrave dorgem" I don't get any hits, so
could you provide some extra information.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Fesevur - 2006-01-04

status: closed-invalid --> open
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Damian Parker - 2006-01-20

Logged In: YES
user_id=458483

Ok, Its taken a while to get a system re-loaded with Windows
XP. We have Windows XP and Norton Anti-Virus 2005 using the
latest updates. Bearing in mind this also happened
previously with Norton 2003 on the original bug reporting.

Security Rule: Default Block FTP99CMP Trojan Horse
Date: 20/01/2006
Time: 20:15
Path: c:\Program Files\Dorgem\Dorgem.exe
Filename: Dorgem
Direction: Inbound
Local Address: All local network adapters
Local Port: 1492
Protocol: TCP

Dorgem is connected to a Creative Labs Webcam for Notebooks.
FTP uploading to 192.168.10.1

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Damian Parker - 2006-01-20

priority: 5 --> 7
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Damian Parker - 2006-01-20

Logged In: YES
user_id=458483

Just got another one up:

Security Rule: Default Block SubSeven 2.1/2.2 Trojan Horse
Date: 20/01/2006
Time: 22:06
Path: c:\program files\dorgem\dorgem.exe
Filename: Dorgem
Direction: inbound
Local Address: All local network adaptors
Local Port: 2774
Protocol: TCP

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Damian Parker - 2006-01-21

Logged In: YES
user_id=458483

And another:

Security Rule: Default Block SubSeven 2.1/2.2 Trojan Horse
Date: 21/01/2006
Time: 00:11
Path: c:\program files\dorgem\dorgem.exe
Filename: Dorgem
Direction: inbound
Local Address: All local network adaptors
Local Port: 4267
Protocol: TCP

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Damian Parker - 2006-01-21

Logged In: YES
user_id=458483

One more:

Security Rule: Default Block Filenail Trojan Horse
Date: 21/01/2006
Time: 00:41
Path: c:\program files\dorgem\dorgem.exe
Filename: Dorgem
Direction: inbound
Local Address: All local network adaptors
Local Port: 4567
Protocol: TCP

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Fesevur - 2006-01-21

Logged In: YES
user_id=169016

I assume you have the web server activated and available
from the Internet. I don't see how FTP upload can be
affected by this.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Damian Parker - 2006-01-21

Logged In: YES
user_id=458483

Nope, the only modules active is FTP upload, and 2x Text
Captions. machine is on a 192.168.10. IP assigned by DHCP.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Damian Parker - 2006-01-22

Logged In: YES
user_id=458483

Security Rule: Default Block TransScout
Date: 22/01/2006
Time: 15:55
Path: c:\program files\dorgem\dorgem.exe
Filename: Dorgem
Direction: inbound
Local Address: All local network adaptors
Local Port: 2001
Protocol: TCP

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Fesevur - 2006-01-22

Logged In: YES
user_id=169016

What version of Dorgem are you using exactly? A release
build (what version), a nightly build?

Could you look at these pages:

http://securityresponse.symantec.com/avcenter/attack_sigs/s20244.html
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven.html

And see if the mentioned files are on your system.

I really don't see any other reason then that there is
spyware on your system and it is using Dorgem.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Fesevur - 2006-01-22

status: open --> pending
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Damian Parker - 2006-01-22

Logged In: YES
user_id=458483

Using your latest released code Dorgem Release 2.1.0

Neither files exist, which I would hope so as Norton is the
first thing I always install after any Windows installation.

Also full system scans using Norton fully updated done
reveal any nasties, also Spybot search & destory is in
operation and working. I use Firefox to prevent the general
junk that IE lets through.

These popup however on basic XP + Norton + Dorgem, ever on a
fresh reboot, when the machine is in use and when Im using
my main Gentoo linux system.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Damian Parker - 2006-01-22

status: pending --> open
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Frank Fesevur - 2006-01-23

Logged In: YES
user_id=169016

I don't have Norton Anti-virus and there is no trail version
available. So I don't have the resources to investigate this
any further. I will post an item on my blog to see if anyone
else can help.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.