I don't believe Windows XP is going to be effected by this worm, due to the fact null is disabled by default. - - Tom G. Scott Fendley <scottfat_private> 12/17/2002 11:24 AM To: "Scott A.McIntyre" <scottat_private>, incidentsat_private cc: Subject: Re: Worm on 445/tcp? I think what you are seeing is the newest worm to come out called LIOTEN or Iraqi Oil worm. It appears that it is only infecting windows 2k/XP servers via SMB connections. There appears to be a lot of details amongst the following URLs which can do a better job describing this worm then I could. --Scott http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lioten.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIOTEN.A http://vil.mcafee.com/dispVirus.asp?virus_k=99897 http://www.mynetwatchman.com/kb/security/articles/iraqiworm/index.htm http://www.unixwiz.net/iraqworm/ At 08:56 AM 12/17/2002 +0100, Scott A.McIntyre wrote: >Over the past two weeks or so I've been noticing a steady rise in what >appears to be worm related traffic to the new unified smb over tcp port >(445) on Microsoft Win2k and newer operating systems. > >I haven't yet been able to properly identify what the culprit is; at first >I thought a variation of OpaServ, and that hasn't been fully ruled out, >but I'm not quite convinced of that either. Anyone have any clues that >might help pin this down further? > >An infected machine seems to send the following: > >1095 114.002629 src -> dst SMB Negotiate Protocol Request >1105 114.363458 src -> dst SMB Session Setup AndX Request >1106 114.774364 src -> dst SMB Session Setup AndX Request >1107 115.168792 src -> dst SMB Tree Connect AndX Request,Path: \\dst\IPC$ >1110 115.330792 src -> dst SMB NT Create AndX Request, Path: \samr >1112 115.652261 src -> dst DCERPC Bind: call_id: 1 UUID: SAMR >1136 117.759036 src -> dst SAMR Connect4 request >1137 118.299350 src -> dst SMB Close Request, FID: 0x4000 >1142 119.004483 src -> dst SMB Logoff AndX Request >1150 119.375665 src -> dst SMB Tree Disconnect Request > >And another: > >7.933416 src -> dst SMB Negotiate Protocol Request >10.958481 src -> dst SMB Session Setup AndX Request >13.654558 src -> dst SMB Tree Connect AndX Request, Path: \\dst\IPC$ >13.926353 src -> dst SMB NT Create AndX Request, Path: \samr >15.231252 src -> dst DCERPC Bind: call_id: 1 UUID: SAMR >17.149345 src -> dst SAMR Connect4 request >20.405997 src -> dst SAMR EnumDomains request >23.579240 src -> dst SAMR LookupDomain request >25.341903 src -> dst SAMR OpenDomain request >25.891947 src -> dst SAMR EnumDomainUsers request >26.597393 src -> dst SAMR Close request >29.615040 src -> dst SMB Close Request, FID: 0x4000 >30.048894 src -> dst SMB Logoff AndX Request >32.738878 src -> dst SMB Tree Disconnect Request > > >It appears as though there's a high degree of randomness to the >destination IP addresses that are chosen by the worm as can be seen from >this 1 second snapshot: > > > 121.33.1.48 > 91.71.109.105 > 76.123.46.27 > 222.120.99.35 > 124.72.254.8 > 17.64.153.118 > 27.23.33.121 > 185.33.178.38 > 151.49.213.31 > 167.60.15.125 > 132.86.243.68 > 26.125.133.71 > 1.104.130.21 > 40.88.91.120 > 48.101.140.21 > 48.93.34.36 > 193.60.220.48 > 117.26.58.96 > 27.2.15.114 > 25.7.221.31 > > >Note: the infected system's ip address is not within any of these network >segments. > >I've noticed others reporting similar increase in traffic, but so far >haven't seen a definitive acknowledgment of precisely what it is that's >responsible. > >Any pointers gratefully accepted. > > > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management and >tracking system please see: http://aris.securityfocus.com > --- Scott Fendley scottfat_private Systems/Security Analyst (479) 575-2022 University of Arkansas (479) 575-4753 fax ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:19:00 PST