Richard.Grantat_private wrote: > We had some internal machines that were contributing to the netbios flood > attack. These machines were sniffed and from that we found a file on the > identified machines named scrsvr.exe. The file was reversed engineered and > the results are listed below. While some are attributing the netbios > activity to Bugbear@mm it does not follow what we were seeing. It is known > as W32.Opaserv.Worm. Comments? Two... You are right that Bugbear does not produce the flood of port 137 traffic currently being reported. Bugbear does some spreading via open or otherwise accessible shares (those writable with the permissions of the user that ran the EXE) but it uses standard known network resource enumeration APIs to do its work. Opaserv (aka Scrup, Scrsvr, Opasoft) aggressively scans for machines listening on port 137 and is the likely source of most of the increased port 137 activity. > ScrSvr31415.KERNEL32.dll.RegisterServiceProcess.SOFTWARE\Microsoft\Wind > ows\CurrentVersion\Run.Software\Microsoft\Windows\CurrentVersion\Interne > t > Settings.ScrSvr.ScrSvrOld.ProxyEnable.ProxyServer.\ScrSvr.exe.ScrSin.dat > .ScrSout.dat.scrupd.exe.www.opasoft.com.GET > http://www.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0 > HTTP/1.1..Host: www.opasoft.com.....GET > http://www.opasoft.com/work/lastver HTTP/1.1..Host: <<snip>> Good thing that, unlike in Bugbear's case, the EXE was not packed with a runtime compressor. Running strings on an EXE hardly counts as "reverse engineering". Regards, Nick FitzGerald ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 16:58:34 PDT