You have a worm called: frethem http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRETHEM .M&VSect=T -----Original Message----- From: Russell Fulton [mailto:r.fultonat_private] Sent: Friday, August 02, 2002 5:46 AM To: incidentsat_private; unisogat_private Cc: auscertat_private Subject: [unisog] odd traffic on port 80 from win 98 system I have posted this to both the incidents and unisog lists -- apologies those of you who are on both... Over the last 5 days a windows 98 system belonging to an academic has been probing, what at first look appearently random addresses on tcp 80. The probes are two about 3 - 4 addresses a minute -- much lower than any worms I've seen before. They look like connections from the regular stack, source port increments, 4 or 5 SYNs sent if no response from destination. I say 'appearently random address' because on closer examination most of the addresses are from cable or DSL providers around the world -- about what you would expect for a p2p app. The machine is owned by a responsible, technically competent, senior academic (he taught me first year Physics over 30 years ago ;-). It has up to date NAV software with up to date definitions which has not detected anything untoward. When I first alerted them that something odd was going on they install a program that monitored network activity and it said that 'taskbar.exe' was accessing the network at which point I started tcpdump to grab all traffic from the machine that was leaving the network. Here is what I found: 17:13:07.654448 geb.phy.auckland.ac.nz.1566 > n002.n202-178-254-0-24.ethome.net.www: P 1:118(117) ack 1 win 8760 (DF) 0x0000 4500 009d ed04 4000 7e06 8d45 82d8 3683 E.....@.~..E..6. 0x0010 cab2 fe02 061e 0050 000f f95a ee38 fec8 .......P...Z.8.. 0x0020 5018 2238 8b90 0000 4745 5420 2f62 2e63 P."8....GET./b.c 0x0030 6769 3f61 6c74 2631 3734 3634 3239 3637 gi?alt&174642967 0x0040 2630 3030 3030 3030 3030 3030 3020 4854 &000000000000.HT 0x0050 5450 TP this is the packet that is sent to any addresses that respond on port 80. The URIs are all identical except for the first number after the alt, which change but all of the small sample I looked at start with 17 and have 9 digits. Anyone recognise this? Google produced several hits on /b.cgi but nothing that seemed relevant. Ah, one more detail: From our argus logs I have established that the traffic started at 12:35 on the 22nd (UTC + 1200) with no incoming traffic for the previous hour. So far as the user can remember they were clearing email at the time. Pity I did not get on to this sooner he might have remembered more if 5 days had not elapsed, sigh... The machine is rebooted every day so what ever it is survives reboots. This looks like a P2P app but I don't recall one that works over http. Come Monday. I'll grab the best MS experties I can get and go and investigate the machine itself. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand 'It aint necessarily so' - Gershwin PS why do things like this break at 5pm on Friday? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 02 2002 - 08:25:04 PDT