David Abarbanel
10/4/2007
IS 672 - Lab 2

#1
10/4/2007	7:53 PM	Scan Started	MESA\dave	On-Demand Scan
10/4/2007	7:53 PM	Infected	MESA\dave	D:\zip\eicar.com.txt	EICAR test file (Virus) (No Remover Available)
10/4/2007	7:53 PM	Alert Error	MESA\dave	Error occurred while trying to send a message to the Alert Manager.
10/4/2007	7:53 PM	Scan Summary	MESA\dave	Scan Summary 
10/4/2007	7:53 PM	Scan Summary	MESA\dave		Boot sectors scanned   : 0
10/4/2007	7:53 PM	Scan Summary	MESA\dave		Boot sectors infected  : 0
10/4/2007	7:53 PM	Scan Summary	MESA\dave		Boot sectors cleaned   : 0
10/4/2007	7:53 PM	Scan Summary	MESA\dave		Files scanned          : 1
10/4/2007	7:53 PM	Scan Summary	MESA\dave		Files infected         : 1
10/4/2007	7:53 PM	Scan Summary	MESA\dave		Files cleaned          : 0
10/4/2007	7:53 PM	Scan Summary	MESA\dave		Files deleted          : 0
10/4/2007	7:53 PM	Scan Summary	MESA\dave		Files moved            : 0
10/4/2007	7:53 PM	Scan Complete	MESA\dave	On-Demand Scan

#2
URL: http://www.f-secure.com/v-descs/bagle_y.shtml#details
The worm has a backdoor that listens to port 2535. When active, the worm periodically connects to websites (it has a hardcoded list of 93 websites) and reports backdoor's ID and backdoor's port to the worm author.

#3
The third line below appears to be a buffer overflow attack by noticing the large number of characters following the GET command.

2002-12-07 06:46:28 130.85.241.206 - 130.85.130.91 80 GET /class/451c/ifsm451chw10.cfm email=nmazar1@umbc.edu 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98)
2002-12-07 06:46:32 130.85.241.206 - 130.85.130.91 80 GET /class/451c/ebxml/ebxml.gif - 304 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98)
2002-12-07 06:52:02 210.99.132.216 - 130.85.130.91 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 -
2002-12-07 07:05:09 130.85.98.249 - 130.85.130.91 80 GET /class/451c/syll451c1.htm - 304 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
2002-12-07 07:05:09 130.85.98.249 - 130.85.130.91 80 GET /images/styles.css - 304 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)