Arnar DeMarco - IS672 Computer and Network Security

Lab2 - Viruses


Item #1:

9/25/2006 9:39:42 AM Critical N/A Realtime The EICAR_test_file was detected in C:\DOCUMENTS AND SETTINGS\ ARNAR\DESKTOP\EICAR.COM.TXT. 
Machine: ARNAR'S COMPUTER, User: ARNAR'S COMPUTER\ARNAR. File Status: Cure failed, file renamed. 14


Item #2:

Backdoor
The worm has a backdoor that listens to port 2535. When active, the worm periodically connects to websites (it has a hardcoded list of 93 websites) and 
reports backdoor's ID and backdoor's port to the worm author. 

URL: http://www.f-secure.com/v-descs/bagle_y.shtml


Item #3:

First Attack:
2002-12-07 06:46:32 130.85.241.206 - 130.85.130.91 80 GET /class/451c/ebxml/ebxml.gif - 304 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98)
2002-12-07 06:52:02 210.99.132.216 - 130.85.130.91 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
2002-12-07 07:05:09 130.85.98.249 - 130.85.130.91 80 GET /class/451c/syll451c1.htm - 304 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
2002-12-07 07:05:09 130.85.98.249 - 130.85.130.91 80 GET /images/styles.css - 304 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)

Second Attack:
2002-12-07 16:12:05 68.33.17.214 - 130.85.130.91 80 GET /class/ciw.gif - 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+XP)+Opera+6.05++[en]
2002-12-07 16:12:34 218.151.32.113 - 130.85.130.91 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
2002-12-07 16:13:07 68.33.17.214 - 130.85.130.91 80 GET /class/451c/ifsm451chw9.cfm email=resezer1@umbc.edu 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+XP)+Opera+6.05++[en]
2002-12-07 16:13:08 68.33.17.214 - 130.85.130.91 80 GET /class/451c/edi/vpn-site.swf - 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+XP)+Opera+6.05++[en]