I've found a new trojan (?) named DSB recently. It occured last week, since I found there are many entries in my Apache access_log that only reach my web site's / and the user-agent field was filled "DSB 1.1.1h". Last weekend, there were more "DSB 1.2.0h" than "DSB 1.1.1h", it seems it's updating itself, now there're all "DSB 1.2.0h", the updating seems finished. The source IPs are mostly from Italy, and the number of entries is increasing fast, seems it's spreading fast over the Internet.

Fortunately I found these valuable entries in my access_log:
-----------------------------------
218.**.198.87 - - [30/Aug/2004:06:20:01 -0600] "GET / HTTP/1.1" 200 40842 "-" "DSB 1.2.0h"
218.**.198.87 - - [30/Aug/2004:06:20:02 -0600] "GET /www.****-********.biz/access.php?a=15631CD7-
09004OEM007148160365&w=20&d=20040830213551&o=4.10.67766446.1.%20A%20&i=5.00.2614.3500&n=&v=1.2.0h
&e=&c=&b=&m=n&t=104&f=DSB&HTTP/1.1" 404 216 "-" "DSB 1.2.0h"
218.**.198.87 - - [30/Aug/2004:06:20:03 -0600] "GET /www.****-********.biz/update.php?a=15631CD7-
09004OEM007148160365&w=20&v=1.2.0h&&f=DSB&HTTP/1.1" 404 216 "-" "DSB 1.2.0h"
218.**.198.87 - - [30/Aug/2004:06:20:03 -0600] "GET /www.****-********.biz/kill.php?a=15631CD7-
09004OEM007148160365&w=20&f=DSB& HTTP/1.1" 404 214 "-" "DSB 1.2.0h"
-------------------------------
The first entry is a typical entry, 99.99% of the malicious accessing like this, and the next three lines seems odd. Is "access.php" a statistics page? Is "update.php" a online updating page? ( DSB 1.1.1h --> DSB 1.2.0h ) Is "kill.php" a suicide page?

Anyone has experiences with it?

[edited by: jdMorgan at 2:36 pm (utc) on Aug. 30, 2004]
[edit reason] Fix side-scroll, remove specifics per TOS [/edit]