Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« Scare Tactics | Main | Fake Windows Update Popup: It's Back (Again) »

  • OKOK.exe is not okay - okay?

The biggest threat companies are facing today is corporate espionage. Even the most secure networks aren't 100% safe, but there are ways network administrators can spot a worm or attacker before the damage is done. Recently I came across a worm that has the potential to send the internal infrastructure of a network to the attacker by using a service related to Backdoor.CVM.
The infection begins like it usually does. Someone clicks something they shouldn't. Regardless of how it happens, the results are the same.
http://blog.spywareguide.com/upload/2008/05/total-thumb.PNG
You can expect to see this many added/modified files across your network if this worm has its way.

The worm's first order of business is to contact the site hosting the malicious content. This particular variant of this threat phoned home to http:// 513389.cn/kk.txt. Once there it downloads 34 executable files, the last of which being okok.exe. Once okok.exe is saved to the infected machine as C:\Windows\System32\Microsoft\svchost.exe it sends out an ARP broadcast to map the network.

http://blog.spywareguide.com/upload/2008/05/svchostdumped-thumb.PNG
Svchost.exe (okok.exe) sends out an ARP broadcast across the network.

After that it's only a matter of time until more and more computers on the network start displaying similar network activity. We detect this threat as OkOk.

  • TrackBack

TrackBack URL for this entry:
http://blog.spywareguide.com/mt/mt-tb.cgi/325


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.