[Full-Disclosure] W32/Welchia, W32/Nachi backdoor?

From: Barry Irwin (bvi_at_lair.moria.org)
Date: 08/20/03

Next message: Mike Vasquez: "Re: [fd] RE: [Full-Disclosure] [Fwd: Edwards AFB shut down by W32Blaster] (fwd)"

Previous message: Michael Gale: "Re: [Full-Disclosure] [Fwd: Edwards AFB shut down by W32Blaster] (fwd)"
Next in thread: Michael Mueller: "Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?"
Reply: Michael Mueller: "Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?"
Reply: Chris Eagle: "RE: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Full-Disclosure@Lists.Netsys.Com'" <full-disclosure@lists.netsys.com>
Date: Wed, 20 Aug 2003 17:20:15 +0200

From the AUSCERT announcement

>It usually arrives as DLLHOST.EXE (~10,240 bytes) and opens port 707, for
its malicious routines. >Similar to the earlier MSBLAST worm variants, this
malware also exploits the RPC DCOM Buffer >Overflow,and instructs target
systems to download its copy from the affected system using the TFTP
>program [1]

>creates a backdoor listening on TCP/707 or some other randomly chosen port
between TCP/666 and >TCP/765 [2]

Telnetting to this port seems to disconnected after 1-5 characters have been
entered? This doesn't look like TFTP (port 65/tcp&UDP), and the windows
tftp client doesn't seem to offer any means of specifying a port to connect
to?

Is this some kind of password protected backdoor ?

Barry

[1]http://www.auscert.org.au/render.html?it=3359&cid=1
[2]http://securecomputing.stanford.edu/win-rpc.html

--
Barry Irwin
bvi@moria.org
http://lair.moria.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Mike Vasquez: "Re: [fd] RE: [Full-Disclosure] [Fwd: Edwards AFB shut down by W32Blaster] (fwd)"

Previous message: Michael Gale: "Re: [Full-Disclosure] [Fwd: Edwards AFB shut down by W32Blaster] (fwd)"
Next in thread: Michael Mueller: "Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?"
Reply: Michael Mueller: "Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?"
Reply: Chris Eagle: "RE: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Services & Firewall port settings
... > Because this definition of port numbers allowed I/O is a basic security ... Pretty much all of the Windows ... that file that causes some insecurity is the line about tftp. ... I would use a third party firewall instead, ...
(microsoft.public.security)
Re: Downloading nk.bin to Target device without PB?
... Anyone you like that can be set to port 980. ... because that's the filename the bootloader tftp server expects to be ... should use a tftp client on the host. ... download use a slightly modified TFTP protocol (it uses port 980 rather ...
(microsoft.public.windowsce.platbuilder)
RE: TFTP Scanner recommendation requested
... that port open, it needs to be checked regardless if there is an ... Subject: TFTP Scanner recommendation requested ... looking for open udp/69 ports with tftp requests being made on each ... I know that msblast opens up that ...
(Pen-Test)
Re: tftp of image
... > I've not tested it by changing the port nr in Eboot, but with a TFTP ... I am using command line such as ... I got the host name gbst from typing ...
(microsoft.public.windowsce.platbuilder)
Re: xinetd.d listening twice on port 69
... > port and so it's presumably not a netstat bug. ... > service tftp ... Mark Sargent. ...
(Fedora)