OKOK.exe is not okay - okay?

| | Comments (0)

The biggest threat companies are facing today is corporate espionage. Even the most secure networks aren't 100% safe, but there are ways network administrators can spot a worm or attacker before the damage is done. Recently I came across a worm that has the potential to send the internal infrastructure of a network to the attacker by using a service related to Backdoor.CVM.
The infection begins like it usually does. Someone clicks something they shouldn't. Regardless of how it happens, the results are the same.
http://blog.spywareguide.com/upload/2008/05/total-thumb.PNG
You can expect to see this many added/modified files across your network if this worm has its way.

The worm's first order of business is to contact the site hosting the malicious content. This particular variant of this threat phoned home to http:// 513389.cn/kk.txt. Once there it downloads 34 executable files, the last of which being okok.exe. Once okok.exe is saved to the infected machine as C:\Windows\System32\Microsoft\svchost.exe it sends out an ARP broadcast to map the network.

http://blog.spywareguide.com/upload/2008/05/svchostdumped-thumb.PNG
Svchost.exe (okok.exe) sends out an ARP broadcast across the network.

After that it's only a matter of time until more and more computers on the network start displaying similar network activity. We detect this threat as OkOk.

Leave a comment

About this Entry

This page contains a single entry by Chris Mannon published on May 13, 2008 5:03 PM.

Scare Tactics was the previous entry in this blog.

Fake Windows Update Popup: It's Back (Again) is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.