RE: [unisog] odd traffic on port 80 from win 98 system

From: Chris Gundersen (gunnyat_private)
Date: Fri Aug 02 2002 - 06:28:10 PDT

  • Next message: Darlene Steeper: "RE: [unisog] odd traffic on port 80 from win 98 system"

    That sounds like Frethem.E to me...uses a "taskbar.exe" process and
    attempts to connect to various addresses (all with b.cgi present) to
    convey data.
    This is Symantec's writeup:
    Here is a list of many possible addresses this virus likes to try and
    access (got this from a German network security website...can provide a
    link and rough translation if necessary)
    Do any of these look familiar?
    -Chris Gundersen
    Grand Pooba of Computer Stuff
    -----Original Message-----
    From: Russell Fulton [mailto:r.fultonat_private] 
    Sent: Friday, August 02, 2002 5:46 AM
    To: incidentsat_private; unisogat_private
    Cc: auscertat_private
    Subject: [unisog] odd traffic on port 80 from win 98 system
    I have posted this to both the incidents and unisog lists -- apologies
    those of you who are on both...
    Over the last 5 days a windows 98 system belonging to an academic has
    been probing, what at first look appearently random addresses on tcp 80.
    The probes are two about 3 - 4 addresses a minute -- much lower than any
    worms I've seen before.  They look like connections from the regular
    stack, source port increments, 4 or 5 SYNs sent if no response from
    destination. I say 'appearently random address' because on closer
    examination most of the addresses are from cable or DSL providers around
    the world -- about what you would expect for a p2p app.
    The machine is owned by a responsible, technically competent, senior
    academic (he taught me first year Physics over 30 years ago ;-). It has
    up to date NAV software with up to date definitions which has not
    detected anything untoward.  When I first alerted them that something
    odd was going on they install a program that monitored network activity
    and it said that 'taskbar.exe' was accessing the network at which point
    I started tcpdump to grab all traffic from the machine that was leaving
    the network.
    Here is what I found:
    17:13:07.654448 > P 1:118(117) ack 1 win 8760 (DF)
    0x0000   4500 009d ed04 4000 7e06 8d45 82d8 3683        E.....@.~..E..6.
    0x0010   cab2 fe02 061e 0050 000f f95a ee38 fec8        .......P...Z.8..
    0x0020   5018 2238 8b90 0000 4745 5420 2f62 2e63        P."8....GET./b.c
    0x0030   6769 3f61 6c74 2631 3734 3634 3239 3637        gi?alt&174642967
    0x0040   2630 3030 3030 3030 3030 3030 3020 4854        &000000000000.HT
    0x0050   5450                                           TP
    this is the packet that is sent to any addresses that respond on port
    80.  The URIs are all identical except for the first number after the
    alt, which change but all of the small sample I looked at start with
    17 and have 9 digits.
    Anyone recognise this?
    Google produced several hits on /b.cgi but nothing that seemed relevant.
    Ah, one more detail:  From our argus logs I have established that the
    traffic started at 12:35 on the 22nd (UTC + 1200) with no incoming
    traffic for the previous hour.  So far as the user can remember they
    were clearing email at the time.  Pity I did not get on to this sooner
    he might have remembered more if 5 days had not elapsed, sigh... 
    The machine is rebooted every day so what ever it is survives reboots.
    This looks like a P2P app but I don't recall one that works over http.
    Come Monday.  I'll grab the best MS experties I can get and go and
    investigate the machine itself.
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    'It aint necessarily so'  - Gershwin
    PS why do things like this break at 5pm on Friday?
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri Aug 02 2002 - 08:21:07 PDT