## If you are not a McAfee Virus Scan Engine customer and your anti-malware vendor does not provide comprehensive detection for Aurora binaries, you can perform filename and md5 hash searches on your servers to determine if you have any matches that way. You should ensure that the md5 hash matches along with the filename to avoid false positives, as the filenames themselves are not unique and are very common Windows OS and other legitimate program filenames. The list of files and hashes is as follows: January 26, 2010 # How Can I Tell if I Was Infected By Aurora? ## McAfee Labs identified a zero-day Rasmon.dll: vulnerability in Microsoft Internet Explorer 0F9C5408335833E72FE73E6166B5A01B that was used as an entry point for “Operation Aurora” to exploit Google and at a.exe: least 30 other companies. CD36A3071A315C3BE6AC3366D80BB59C How can I tell if my systems were b.exe infected? 9F880AC607CBD7CDFFFA609C5883C708 If you are a McAfee VirusScan Engine AppMgmt.dll customer, verify that you are using .DAT 6A89FBE7B0D526E3D97B0DA8418BF851 5864 released on January 18, 2010 A0029670.dll ## (McAfee has provided protection to identify 3A33013A47C5DD8D1B92A4CFDCDA3765 ## this as of release 5862 and is updating as we continue to debug the attack) and msconfig32.sys perform a full scan on all machines within 7A62295F70642FEDF0D5A5637FEB7986 your enterprise, starting with most sensitive VedioDriver.dll ## servers. If you detect the following 467EEF090DEB3517F05A48310FCFD4EE ## signatures triggered: Exploit-Comele, Roarur.dr or Roarur.dll, you very likely have acelpvc.dll an infected Aurora host and should reach 4A47404FC21FFF4A1BC492F9CD23139C out toMcAfee Foundstone, our vulnerability management and protection services division, ## for onsite Incident Response Services. You [may also take advantage of McAfee’s free](http://download.nai.com/products/mcafee-avert/aurora_stinger.exe) [Stinger product, used to clean up an Operation](http://download.nai.com/products/mcafee-avert/aurora_stinger.exe) Aurora-infected system. ## If I’m not a McAfee customer… If you are not a McAfee Virus Scan Engine customer and your anti-malware vendor does not provide comprehensive detection for Aurora binaries, you can perform filename and md5 hash searches on your servers to determine if you have any matches that way. You should ensure that the md5 hash matches along with the filename to avoid false positives, as the filenames themselves are not unique and are very common Windows OS and other legitimate program filenames. The list of files and hashes is as follows: securmon.dll: E3798C71D25816611A4CAB031AE3C27A McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee Inc and/or ----- ## You can also check for outbound past or sc01[dot]webhop[dot]biz present Web communication or DNS temp1[dot]homeunix[dot]com resolutions of the following domains* known tor[dot]homeunix[dot]com to be associated with the malware activity: ttt1[dot]homelinux[dot]org up01[dot]homelinux[dot]com up1[dot]homelinux[dot]org ftpaccess[dot]cc up1[dot]serveftp[dot]net 360[dot]homeunix[dot]com up2[dot]mine[dot]nu sl1[dot]homelinux[dot]org update1[dot]homelinux[dot]org ftp2[dot]homeunix[dot]com update1[dot]merseine[dot]nu update[dot]ourhobby[dot]com jlop[dot]homeunix[dot]com ad01[dot]homelinux[dot]com on1[dot]homeunix[dot]com ads1[dot]homelinux[dot]org vm01[dot]homeunix[dot]com ads1[dot]webhop[dot]org vvpatch[dot]homelinux[dot]org aep[dot]homelinux[dot]com war1[dot]game-host[dot]org aka[dot]homeunix[dot]net xil[dot]homeunix[dot]com alt1[dot]homelinux[dot]com amd[dot]homeunix[dot]com amt1[dot]homelinux[dot]com amt1[dot]homeunix[dot]org aop01[dot]homeunix[dot]com *In the names above, “[dot]” is substituted for “.” to aop1[dot]homelinux[dot]com protect users from accidentally clicking and launching malicious domains. asic1[dot]homeunix[dot]com bdc[dot]homeunix[dot]com corel[dot]ftpaccess[dot]cc We recommend searching for outbound ddd1[dot]homelinux[dot]com requests for, at minimum, the 12/10/09 to demo1[dot]ftpaccess[dot]cc 1/6/10 timeframe. The above domains and du1[dot]homeunix[dot]com file names and hashes may not be all fl12[dot]ftpaccess[dot]cc inclusive of all those associated with Aurora ftp1[dot]ftpaccess[dot]cc but give a reasonable representation. If you patch[dot]homeunix[dot]org ## see Web communication to any of the up1[dot]mine[dot]nu ## above sites you should analyze the hho1[dot]homeunix[dot]com ## origination machine immediately and reach hp1[dot]homelinux[dot]org i1024[dot]homeunix[dot]org [out to McAfee Foundstone for onsite](http://www.foundstone.com/us/contact-form_911.aspx) i1024[dot]homelinux[dot]com Incident Response Services. ice[dot]game-host[dot]org il01[dot]servebbs[dot]com il01[dot]homeunix[dot]com il02[dot]servebbs[dot]com il03[dot]servebbs[dot]com lih001[dot]webhop[dot]net lih002[dot]webhop[dot]net lih003[dot]webhop[dot]net list1[dot]homelinux[dot]org live1[dot]webhop[dot]org patch1[dot]gotdns[dot]org McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee Inc and/or January 26, 2010 ## Check for outbound Web patch1[dot]ath[dot]cx communications patch1[dot]homelinux[dot]org ppp1[dot]ftpaccess[dot]cc ## You can also check for outbound past or sc01[dot]webhop[dot]biz present Web communication or DNS temp1[dot]homeunix[dot]com resolutions of the following domains* known tor[dot]homeunix[dot]com to be associated with the malware activity: ttt1[dot]homelinux[dot]org up01[dot]homelinux[dot]com up1[dot]homelinux[dot]org ftpaccess[dot]cc up1[dot]serveftp[dot]net 360[dot]homeunix[dot]com up2[dot]mine[dot]nu sl1[dot]homelinux[dot]org update1[dot]homelinux[dot]org ftp2[dot]homeunix[dot]com update1[dot]merseine[dot]nu update[dot]ourhobby[dot]com jlop[dot]homeunix[dot]com ad01[dot]homelinux[dot]com on1[dot]homeunix[dot]com ads1[dot]homelinux[dot]org vm01[dot]homeunix[dot]com ads1[dot]webhop[dot]org vvpatch[dot]homelinux[dot]org aep[dot]homelinux[dot]com war1[dot]game-host[dot]org aka[dot]homeunix[dot]net xil[dot]homeunix[dot]com alt1[dot]homelinux[dot]com amd[dot]homeunix[dot]com amt1[dot]homelinux[dot]com amt1[dot]homeunix[dot]org aop01[dot]homeunix[dot]com *In the names above, “[dot]” is substituted for “.” to aop1[dot]homelinux[dot]com protect users from accidentally clicking and launching malicious domains. asic1[dot]homeunix[dot]com bdc[dot]homeunix[dot]com corel[dot]ftpaccess[dot]cc We recommend searching for outbound ddd1[dot]homelinux[dot]com requests for, at minimum, the 12/10/09 to demo1[dot]ftpaccess[dot]cc 1/6/10 timeframe. The above domains and du1[dot]homeunix[dot]com file names and hashes may not be all fl12[dot]ftpaccess[dot]cc inclusive of all those associated with Aurora ftp1[dot]ftpaccess[dot]cc but give a reasonable representation. If you patch[dot]homeunix[dot]org ## see Web communication to any of the up1[dot]mine[dot]nu ## above sites you should analyze the hho1[dot]homeunix[dot]com ## origination machine immediately and reach hp1[dot]homelinux[dot]org i1024[dot]homeunix[dot]org [out to McAfee Foundstone for onsite](http://www.foundstone.com/us/contact-form_911.aspx) i1024[dot]homelinux[dot]com Incident Response Services. ice[dot]game-host[dot]org il01[dot]servebbs[dot]com il01[dot]homeunix[dot]com il02[dot]servebbs[dot]com il03[dot]servebbs[dot]com lih001[dot]webhop[dot]net lih002[dot]webhop[dot]net lih003[dot]webhop[dot]net -----