Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible scr worm

From: john.ruff () us abb com
Date: Tue, 21 Aug 2001 10:20:35 -0400


Matthew:

Here's hte payload data.  I view the data portion of these packets and there all
the same, connecting to yahoo's smtp server.  However, weird thing is, the
payloads are all the same with an attachment "aug18.doc".  The packet below is
from the beginning of these occurrences on 8/17 (the same packet even until
now). Could this be from the W32.SirCam worm exposure that many email servers
are suffering from, causing the mass mailings to occur to many of its
subscribers?  View packet below:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

08/17-21:03:48.897052 216.136.173.10:110 -> 130.110.93.68:3059
TCP TTL:49 TOS:0x0 ID:30746 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x372450F9  Ack: 0x5A1F50B6  Win: 0x4470  TcpLen: 20
2B 4F 4B 20 39 38 35 33 30 20 6F 63 74 65 74 73  +OK 98530 octets
0D 0A 58 2D 41 70 70 61 72 65 6E 74 6C 79 2D 54  ..X-Apparently-T
6F 3A 20 6B 6F 72 6F 6C 79 6F 76 40 79 61 68 6F  o: korolyov@yaho
6F 2E 63 6F 6D 20 76 69 61 20 77 65 62 31 33 38  o.com via web138
30 38 2E 6D 61 69 6C 2E 79 61 68 6F 6F 2E 63 6F  08.mail.yahoo.co
6D 3B 20 31 37 20 41 75 67 20 32 30 30 31 20 31  m; 17 Aug 2001 1
37 3A 35 30 3A 33 33 20 2D 30 37 30 30 20 28 50  7:50:33 -0700 (P
44 54 29 0D 0A 52 65 63 65 69 76 65 64 3A 20 66  DT)..Received: f
72 6F 6D 20 73 6D 74 70 30 31 38 2E 6D 61 69 6C  rom smtp018.mail
2E 79 61 68 6F 6F 2E 63 6F 6D 20 28 32 31 36 2E  .yahoo.com (216.
31 33 36 2E 31 37 34 2E 31 31 35 29 0D 0A 20 20  136.174.115)..
62 79 20 6D 74 61 34 33 37 2E 6D 61 69 6C 2E 79  by mta437.mail.y
61 68 6F 6F 2E 63 6F 6D 20 77 69 74 68 20 53 4D  ahoo.com with SM
54 50 3B 20 31 37 20 41 75 67 20 32 30 30 31 20  TP; 17 Aug 2001
31 37 3A 35 30 3A 33 33 20 2D 30 37 30 30 20 28  17:50:33 -0700 (
50 44 54 29 0D 0A 52 65 63 65 69 76 65 64 3A 20  PDT)..Received:
66 72 6F 6D 20 75 6E 6B 6E 6F 77 6E 20 28 48 45  from unknown (HE
4C 4F 20 73 75 64 61 6B 29 20 28 31 33 30 2E 31  LO sudak) (130.1
31 30 2E 39 30 2E 31 37 34 29 0D 0A 20 20 62 79  10.90.174)..  by
20 73 6D 74 70 2E 6D 61 69 6C 2E 76 69 70 2E 73   smtp.mail.vip.s
63 35 2E 79 61 68 6F 6F 2E 63 6F 6D 20 77 69 74  c5.yahoo.com wit
68 20 53 4D 54 50 3B 20 31 38 20 41 75 67 20 32  h SMTP; 18 Aug 2
30 30 31 20 30 30 3A 35 30 3A 31 32 20 2D 30 30  001 00:50:12 -00
30 30 0D 0A 58 2D 41 70 70 61 72 65 6E 74 6C 79  00..X-Apparently
2D 46 72 6F 6D 3A 20 3C 6B 61 3F 6B 6F 72 6F 6C  -From: <ka?korol
79 6F 76 40 79 61 68 6F 6F 2E 63 6F 6D 3E 0D 0A  yov () yahoo com>..
4D 65 73 73 61 67 65 2D 49 44 3A 20 3C 30 30 31  Message-ID: <001
30 30 31 63 31 32 37 38 30 24 30 61 61 63 66 39  001c12780$0aacf9
64 30 24 61 65 35 61 36 65 38 32 40 6C 6F 63 61  d0$ae5a6e82@loca
6C 2E 6E 65 74 3E 0D 0A 46 72 6F 6D 3A 20 22 4B  l.net>..From: "K
6F 6E 73 74 61 6E 74 69 6E 20 4B 6F 72 6F 6C 79  onstantin Koroly
6F 76 22 20 3C 6B 61 5F 6B 6F 72 6F 6C 79 6F 76  ov" <ka_korolyov
40 79 61 68 6F 6F 2E 63 6F 6D 3E 0D 0A 54 6F 3A  @yahoo.com>..To:
20 22 4B 6F 6E 73 74 61 6E 74 69 6E 20 4B 6F 72   "Konstantin Kor
6F 6C 79 6F 76 22 20 3C 6B 6F 72 6F 6C 79 6F 76  olyov" <korolyov
40 79 61 68 6F 6F 2E 63 6F 6D 3E 0D 0A 52 65 66  @yahoo.com>..Ref
65 72 65 6E 63 65 73 3A 20 3C 30 30 31 39 30 31  erences: <001901
63 31 32 31 64 64 24 65 61 36 31 35 31 61 30 24  c121dd$ea6151a0$
34 34 35 64 36 65 38 32 40 4B 4B 4F 52 4F 4C 32  445d6e82@KKOROL2
4B 3E 0D 0A 53 75 62 6A 65 63 74 3A 20 52 65 3A  K>..Subject: Re:
20 68 74 74 70 3A 2F 2F 75 73 61 62 62 6F 32 70   http://usabbo2p
72 6F 78 79 3A 38 30 2F 61 72 72 61 79 2E 64 6C  roxy:80/array.dl
6C 3F 47 65 74 2E 52 6F 75 74 69 6E 67 2E 53 63  l?Get.Routing.Sc
72 69 70 74 0D 0A 44 61 74 65 3A 20 46 72 69 2C  ript..Date: Fri,
20 31 37 20 41 75 67 20 32 30 30 31 20 32 30 3A   17 Aug 2001 20:
34 31 3A 30 33 20 2D 30 34 30 30 0D 0A 4D 49 4D  41:03 -0400..MIM
45 2D 56 65 72 73 69 6F 6E 3A 20 31 2E 30 0D 0A  E-Version: 1.0..
43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 6D 75  Content-Type: mu
6C 74 69 70 61 72 74 2F 6D 69 78 65 64 3B 0D 0A  ltipart/mixed;..
09 62 6F 75 6E 64 61 72 79 3D 22 2D 2D 2D 2D 3D  .boundary="----=
5F 4E 65 78 74 50 61 72 74 5F 30 30 30 5F 30 30  _NextPart_000_00
30 37 5F 30 31 43 31 32 37 35 43 2E 45 45 34 35  07_01C1275C.EE45
43 39 37 30 22 0D 0A 58 2D 50 72 69 6F 72 69 74  C970"..X-Priorit
79 3A 20 33 0D 0A 58 2D 4D 53 4D 61 69 6C 2D 50  y: 3..X-MSMail-P
72 69 6F 72 69 74 79 3A 20 4E 6F 72 6D 61 6C 0D  riority: Normal.
0A 58 2D 4D 61 69 6C 65 72 3A 20 4D 69 63 72 6F  .X-Mailer: Micro
73 6F 66 74 20 4F 75 74 6C 6F 6F 6B 20 45 78 70  soft Outlook Exp
72 65 73 73 20 35 2E 35 30 2E 34 31 33 33 2E 32  ress 5.50.4133.2
34 30 30 0D 0A 58 2D 4D 69 6D 65 4F 4C 45 3A 20  400..X-MimeOLE:
50 72 6F 64 75 63 65 64 20 42 79 20 4D 69 63 72  Produced By Micr
6F 73 6F 66 74 20 4D 69 6D 65 4F 4C 45 20 56 35  osoft MimeOLE V5
2E 35 30 2E 34 31 33 33 2E 32 34 30 30 0D 0A 0D  .50.4133.2400...
0A 54 68 69 73 20 69 73 20 61 20 6D 75 6C 74 69  .This is a multi
2D 70 61 72 74 20 6D 65 73 73 61 67 65 20 69 6E  -part message in
20 4D 49 4D 45 20 66 6F 72 6D 61 74 2E 0D 0A 0D   MIME format....
0A 2D 2D 2D 2D 2D 2D 3D 5F 4E 65 78 74 50 61 72  .------=_NextPar
74 5F 30 30 30 5F 30 30 30 37 5F 30 31 43 31 32  t_000_0007_01C12
37 35 43 2E 45 45 34 35 43 39 37 30 0D 0A 43 6F  75C.EE45C970..Co
6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74  ntent-Type: text
2F 70 6C 61 69 6E 3B 0D 0A 09 63 68 61 72 73 65  /plain;...charse
74 3D 22 77 69 6E 64 6F 77 73 2D 31 32 35 31 22  t="windows-1251"
0D 0A 43 6F 6E 74 65 6E 74 2D 54 72 61 6E 73 66  ..Content-Transf
65 72 2D 45 6E 63 6F 64 69 6E 67 3A 20 37 62 69  er-Encoding: 7bi
74 0D 0A 0D 0A 0D 0A 0D 0A 2D 2D 2D 2D 2D 2D 3D  t........------=
5F 4E 65 78 74 50 61 72 74 5F 30 30 30 5F 30 30  _NextPart_000_00
30 37 5F 30 31 43 31 32 37 35 43 2E 45 45 34 35  07_01C1275C.EE45
43 39 37 30 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79  C970..Content-Ty
70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F  pe: application/
6D 73 77 6F 72 64 3B 0D 0A 09 6E 61 6D 65 3D 22  msword;...name="
61 75 67 31 38 2E 64 6F 63 22 0D 0A 43 6F 6E 74  aug18.doc"..Cont
65 6E 74 2D 54 72 61 6E 73 66 65 72 2D 45 6E 63  ent-Transfer-Enc
6F 64 69 6E 67 3A 20 62 61 73 65 36 34 0D 0A 43  oding: base64..C
6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73 69 74 69  ontent-Dispositi
6F 6E 3A 20 61 74 74 61 63 68 6D 65 6E 74 3B 0D  on: attachment;.
0A 09 66 69 6C 65 6E 61 6D 65 3D 22 61 75 67 31  ..filename="aug1
38 2E 64 6F 63 22 0D 0A 0D 0A 30 4D 38 52 34 4B  8.doc"....0M8R4K
47 78 47 75 45 41 41 41 41 41 41 41 41 41 41 41  GxGuEAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 50 67 41 44 41 50  AAAAAAAAAAPgADAP
37 2F 43 51 41 47 41 41 41 41 41 41 41 41 41 41  7/CQAGAAAAAAAAAA
41 41 41 41 41 42 41 41 41 41 62 41 41 41 41 41  AAAAABAAAAbAAAAA
41 41 41 41 41 41 0D 0A 45 41 41 41 62 67 41 41  AAAAAA..EAAAbgAA
41 41 45 41                                      AAEA

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


|------------->
|(Embedded    |
|image moved  |
|to file:     |
|pic07236.pcx)|
|             |
|------------->
  >------------------------------------------------------------------------|
  |"Matthew Collins" <Matthew.Collins () northernregistrars co uk>            |
  |08/21/2001 04:07 AM                                                     |
  >------------------------------------------------------------------------|



To:   snort-users () lists sourceforge net, John Ruff/ETI/USTRA/ABB@ABB_USTRA
cc:
Subject:  Re: [Snort-users] Possible scr worm

Security Level:?         Internal



How about you include the payload, can't tell what it is without the packet
contents.



<john.ruff () us abb com> 20/08/01 16:23:59 >>>



Any idea what might be causing this aler tot be generated?  I realize it's POP3
traffic (probably someone's internet mail acct.), but is there something new out
there generating these alerts?  I've actually got about 3600 of these alerts
which just started Saturday(8/18/01).  Need more info let me know.

[**] [1:729:1] Virus - Possible scr Worm [**]
08/20-10:04:45.515817 216.136.173.10:110 -> 130.110.93.68:4062
TCP TTL:49 TOS:0x0 ID:2259 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x878CAF66  Ack: 0x2AE6A993  Win: 0x4470  TcpLen: 20

















****************************************************************************************

This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, arrive late or contain
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************

Attachment: pic07236.pcx
Description:

Previous By Date Next
Previous By Thread Next

Current thread: