Re: [Full-disclosure] No one else seeing the new MS05-039 worm yet?
From: Something Anonymous (something.anonymous_at_gmail.com)
Date: 08/30/05
- Previous message: Morning Wood: "Re: [Full-disclosure] No one else seeing the new MS05-039 worm yet?"
- In reply to: Vic Vandal: "[Full-disclosure] No one else seeing the new MS05-039 worm yet?"
- Next in thread: Morning Wood: "Re: [Full-disclosure] No one else seeing the new MS05-039 worm yet?"
- Reply: Morning Wood: "Re: [Full-disclosure] No one else seeing the new MS05-039 worm yet?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Aug 2005 09:27:39 -0400 To: full-disclosure@lists.grok.org.uk
does is listen on port5000 to? 2 attempts we seen come from machines
nmap'd below - wonder if its what you talking about - we think they
being used as proxy to jump from
-sa
"Who you tryin' to get crazy with ese? Don't you know I'm loco?"
--------------------------------------------------------------------------------------------
(The 1653 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp filtered http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open UPnP
6346/tcp open gnutella
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro RC1+ through final release
TCP Sequence Prediction: Class=random positive increments
Difficulty=13485 (Worthy challenge)
IPID Sequence Generation: Busy server or unknown class
Nmap finished: 1 IP address (1 host up) scanned in 479.660 seconds
Raw packets sent: 16 (960B) | Rcvd: 10 (558B)
--------------------------------------------------------------------------------------------
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1025/tcp filtered NFS-or-IIS
5000/tcp open UPnP
6346/tcp open gnutella
Device type: firewall
Running: Symantec Solaris 8
OS details: Symantec Enterprise Firewall v7.0.4 (on Solaris 8)
OS Fingerprint:
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=20%IPLEN=38%RIPTL=148%RIPCK=E%UCK=F%ULEN=134%DAT=E)
Nmap finished: 1 IP address (1 host up) scanned in 40.168 seconds
Raw packets sent: 1892 (76.4KB) | Rcvd: 1765 (81.3KB)
--------------------------------------------------------------------------------------------
On 8/30/05, Vic Vandal <vvandal@well.com> wrote:
> This has been going around since early Monday afternoon. Symantec
> and other AV vendors have had code since then, and no details STILL.
>
> I guess one can call it the Katrina worm until something better comes
> along.
>
> Details:
> - Exploits MS05-039, but also MS04-011 and MS03-026.
> - Scans on port 5000 and 135.
> - On workstations opens up range of listening ports above 1024,
> visible with "netstat -a".
> - Creates 40K svc.exe and several randomly named LARGE .exe files
> in: C:\WINNT directory.
> - Sticks a long line of hosts resolving to broadcast address in:
> C:\WINNT\System32\Drivers\etc in hosts file.
> - Adds reg key(s) under:
> HKLM\Software\Microsoft\Windows\CurrentVersion\Run
> which are those random .exe file names mentioned above.
> - May create svc.exe and exe.tmp reg keys under:
> HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\(machine key)\
> FilesNamedMRU (may be unrelated, not generally found on infected box).
> - Prevents killing processes via Task Manager (all processes backed by
> gray color, clicking individual processes does nothing).
> - One can use other utilities to kill running malware processes.
> - Symantec may report as Bobax.Z@mm and/or W32.HLLW.Nebiwo.
>
> Cleanup:
> - Backup registry.
> - Delete malware-related reg keys as noted.
> - Delete malware-related files.
> - Re-check registry, as executables may enter new values before all
> cleanup actions complete.
> - Edit hosts file, removing added data and saving afterward.
> - Empty Recycle Bin.
> - Patch infected machine.
> - Reboot.
> - Verify that symptoms are gone.
>
> I've not had time to decompile code to dig out other details, but
> cleanup routine seems sufficient for most part. Have had working
> routine since early afternoon, and expected details from vendors
> long before now.
>
> Peace,
> Vic
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Morning Wood: "Re: [Full-disclosure] No one else seeing the new MS05-039 worm yet?"
- In reply to: Vic Vandal: "[Full-disclosure] No one else seeing the new MS05-039 worm yet?"
- Next in thread: Morning Wood: "Re: [Full-disclosure] No one else seeing the new MS05-039 worm yet?"
- Reply: Morning Wood: "Re: [Full-disclosure] No one else seeing the new MS05-039 worm yet?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
