Assembler snippet (Re: Suspicious WebDAV Traffic)

From: Mad|Es02 (cRACK_exe_at_HOTMAIL.COM)
Date: 04/08/04

  • Next message: Russ: "FW: Alert: Microsoft Security Bulletin MS04-011 - Security Update for Microsoft Windows (835732)"
    Date:         Thu, 8 Apr 2004 22:57:57 +1000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    (Moderator, My apologies if this isn't appropriate content for this list.
    If this could be packaged in a more appropriate form, please let me know and
    I'll make adjustments to my posting accordingly.
    -Tom)

    Ok, I've thrown it into Hiew and found it to contain valid x86 assembly language which I will reproduce below courtecy of Hackman Dissassembler Studio.
    Basicly I decoded it in hiew to be certain it was program code, I thought it was but I wanted to be sure... I then dissassembled it properly so that it could be reproduced below. As to what the code does - No idea as of yet, I'm still learning assembler, but if I can make any sense of it I'll post. Looking down it, it looks to me (However inaccurate this may be) that it is challenging something, possibly a bruteforce attack?
    NB: This is my first contribution to the NTBugtraq list and I'm not 100% sure of the format etc here, therefore if I've breached etticete just tell me. :D

    Note: the following was produced using the hex code only (reproduced along with the origional message at the end of this post.) none of the additional headers were decompiled or even thougherly looked at. Also, dont ask me what those CS: lines are, they look wierd but I dont understand the language enough to even know what they are, let alone what they are doing as they are not listed in my Hex <-> Assembly reference.

    -Tom Hobson
    IT Tech Support
    Socialist Alliance (Brisbane North Branch)
    cRACK_exe@hotmail.com

    Filename: C:\...\hiew\New.exe Disassembled by Hackman 6.0
    --------------------------------------------------------------------------------------------

    Address Source Code Flags

    0000:0000 307830 XOR BYTE PTR [EAX+30],BH
    0000:0003 3030 XOR BYTE PTR [EAX],DH
    0000:0005 303A XOR BYTE PTR [EDX],BH
    0000:0007 2030 AND BYTE PTR [EAX],DH
    0000:0009 3020 XOR BYTE PTR [EAX],AH
    0000:000B 41 INC ECX
    0000:000C 3020 XOR BYTE PTR [EAX],AH
    0000:000E 43 INC EBX
    0000:000F 3920 CMP DWORD PTR [EAX],ESP
    0000:0011 44 INC ESP
    0000:0012 3820 CMP BYTE PTR [EAX],AH
    0000:0014 3537204235 XOR EAX,35422037
    0000:0019 2030 AND BYTE PTR [EAX],DH
    0000:001B 3020 XOR BYTE PTR [EAX],AH
    0000:001D 36 SS:
    0000:001E 3020 XOR BYTE PTR [EAX],AH
    0000:0020 3937 CMP DWORD PTR [EDI],ESI
    0000:0022 204531 AND BYTE PTR [EBP+31],AL
    0000:0025 2037 AND BYTE PTR [EDI],DH
    0000:0027 3220 XOR AH,BYTE PTR [EAX]
    0000:0029 3545203038 XOR EAX,38302045
    0000:002E 2030 AND BYTE PTR [EAX],DH
    0000:0030 3020 XOR BYTE PTR [EAX],AH
    0000:0032 3435 XOR AL,35
    0000:0034 2030 AND BYTE PTR [EAX],DH
    0000:0036 3020 XOR BYTE PTR [EAX],AH
    0000:0038 202E AND BYTE PTR [ESI],CH
    0000:003A 2E CS:
    0000:003B 2E CS:
    0000:003C 2E CS:
    0000:003D 57 PUSH EDI
    0000:003E 2E CS:
    0000:003F 2E CS:
    0000:0040 60 PUSHAD
    0000:0041 2E CS:
    0000:0042 2E CS:
    0000:0043 725E JB 000000A3
    0000:0045 2E CS:
    0000:0046 2E CS:
    0000:0047 45 INC EBP
    0000:0048 2E CS:
    0000:0049 0D0A307830 OR EAX,3078300A
    0000:004E 3031 XOR BYTE PTR [ECX],DH
    0000:0050 303A XOR BYTE PTR [EDX],BH
    0000:0052 2030 AND BYTE PTR [EAX],DH
    0000:0054 3520444320 XOR EAX,20434420
    0000:0059 41 INC ECX
    0000:005A 42 INC EDX
    0000:005B 2031 AND BYTE PTR [ECX],DH
    0000:005D 3920 CMP DWORD PTR [EAX],ESP
    0000:005F 3430 XOR AL,30
    0000:0061 2030 AND BYTE PTR [EAX],DH
    0000:0063 3020 XOR BYTE PTR [EAX],AH
    0000:0065 37 AAA
    0000:0066 3120 XOR DWORD PTR [EAX],ESP
    0000:0068 3036 XOR BYTE PTR [ESI],DH
    0000:006A 2037 AND BYTE PTR [EDI],DH
    0000:006C 3320 XOR ESP,DWORD PTR [EAX]
    0000:006E 3239 XOR BH,BYTE PTR [ECX]
    0000:0070 203433 AND BYTE PTR [EBX+ESI],DH
    0000:0073 204135 AND BYTE PTR [ECX+35],AL
    0000:0076 20444620 AND BYTE PTR [ESI+EAX*2+20],AL
    0000:007A 3836 CMP BYTE PTR [ESI],DH
    0000:007C 204330 AND BYTE PTR [EBX+30],AL
    0000:007F 204138 AND BYTE PTR [ECX+38],AL
    0000:0082 2020 AND BYTE PTR [EAX],AH
    0000:0084 2E CS:
    0000:0085 2E CS:
    0000:0086 2E CS:
    0000:0087 2E CS:
    0000:0088 40 INC EAX
    0000:0089 2E CS:
    0000:008A 712E JNO 000000BA
    0000:008C 7329 JNB 000000B7
    0000:008E 43 INC EBX
    0000:008F 2E CS:
    0000:0090 2E CS:
    0000:0091 2E CS:
    0000:0092 2E CS:
    0000:0093 2E CS:
    0000:0094 0D0A307830 OR EAX,3078300A
    0000:0099 3032 XOR BYTE PTR [EDX],DH
    0000:009B 303A XOR BYTE PTR [EDX],BH
    0000:009D 2030 AND BYTE PTR [EAX],DH
    0000:009F 3220 XOR AH,BYTE PTR [EAX]
    0000:00A1 303520303620 XOR BYTE PTR [20363020],DH
    0000:00A7 3445 XOR AL,45
    0000:00A9 2030 AND BYTE PTR [EAX],DH
    0000:00AB 3020 XOR BYTE PTR [EAX],AH
    0000:00AD 3530203931 XOR EAX,31392030
    0000:00B2 2031 AND BYTE PTR [ECX],DH
    0000:00B4 45 INC EBP
    0000:00B5 2032 AND BYTE PTR [EDX],DH
    0000:00B7 41 INC ECX
    0000:00B8 2031 AND BYTE PTR [ECX],DH
    0000:00BA 42 INC EDX
    0000:00BB 2030 AND BYTE PTR [EAX],DH
    0000:00BD 44 INC ESP
    0000:00BE 204534 AND BYTE PTR [EBP+34],AL
    0000:00C1 204534 AND BYTE PTR [EBP+34],AL
    0000:00C4 204637 AND BYTE PTR [ESI+37],AL
    0000:00C7 203530203130 AND BYTE PTR [30312030],DH
    0000:00CD 2020 AND BYTE PTR [EAX],AH
    0000:00CF 2E CS:
    0000:00D0 2E CS:
    0000:00D1 2E CS:
    0000:00D2 4E DEC ESI
    0000:00D3 2E CS:
    0000:00D4 50 PUSH EAX
    0000:00D5 2E CS:
    0000:00D6 2E CS:
    0000:00D7 2A2E SUB CH,BYTE PTR [ESI]
    0000:00D9 2E CS:
    0000:00DA 2E CS:
    0000:00DB 2E CS:
    0000:00DC 2E CS:
    0000:00DD 50 PUSH EAX
    0000:00DE 2E CS:
    0000:00DF 0D0A307830 OR EAX,3078300A
    0000:00E4 3033 XOR BYTE PTR [EBX],DH
    0000:00E6 303A XOR BYTE PTR [EDX],BH
    0000:00E8 203434 AND BYTE PTR [ESP+ESI],DH
    0000:00EB 2037 AND BYTE PTR [EDI],DH
    0000:00ED 3020 XOR BYTE PTR [EAX],AH
    0000:00EF 46 INC ESI
    0000:00F0 36 SS:
    0000:00F1 2037 AND BYTE PTR [EDI],DH
    0000:00F3 3220 XOR AH,BYTE PTR [EAX]
    0000:00F5 3030 XOR BYTE PTR [EAX],DH
    0000:00F7 2030 AND BYTE PTR [EAX],DH
    0000:00F9 3020 XOR BYTE PTR [EAX],AH
    0000:00FB 3533203435 XOR EAX,35342033
    0000:0100 203431 AND BYTE PTR [ECX+ESI],DH
    0000:0103 203532203433 AND BYTE PTR [33342032],DH
    0000:0109 203438 AND BYTE PTR [EAX+EDI],DH
    0000:010C 2032 AND BYTE PTR [EDX],DH
    0000:010E 3020 XOR BYTE PTR [EAX],AH
    0000:0110 324620 XOR AL,BYTE PTR [ESI+20]
    0000:0113 3930 CMP DWORD PTR [EAX],ESI
    0000:0115 2030 AND BYTE PTR [EAX],DH
    0000:0117 3220 XOR AH,BYTE PTR [EAX]
    0000:0119 2044702E AND BYTE PTR [EAX+ESI*2+2E],AL
    0000:011D 722E JB 0000014D
    0000:011F 2E CS:
    0000:0120 53 PUSH EBX
    0000:0121 45 INC EBP
    0000:0122 41 INC ECX
    0000:0123 52 PUSH EDX
    0000:0124 43 INC EBX
    0000:0125 48 DEC EAX
    0000:0126 202F AND BYTE PTR [EDI],CH
    0000:0128 2E CS:
    0000:0129 2E CS:
    0000:012A 0D0A307830 OR EAX,3078300A
    0000:012F 303430 XOR BYTE PTR [EAX+ESI],DH
    0000:0132 3A20 CMP AH,BYTE PTR [EAX]
    0000:0134 42 INC EDX
    0000:0135 3120 XOR DWORD PTR [EAX],ESP
    0000:0137 3032 XOR BYTE PTR [EDX],DH
    0000:0139 204231 AND BYTE PTR [EDX+31],AL
    0000:013C 2030 AND BYTE PTR [EAX],DH
    0000:013E 3220 XOR AH,BYTE PTR [EAX]
    0000:0140 42 INC EDX
    0000:0141 3120 XOR DWORD PTR [EAX],ESP
    0000:0143 3032 XOR BYTE PTR [EDX],DH
    0000:0145 204231 AND BYTE PTR [EDX+31],AL
    0000:0148 2030 AND BYTE PTR [EAX],DH
    0000:014A 3220 XOR AH,BYTE PTR [EAX]
    0000:014C 42 INC EDX
    0000:014D 3120 XOR DWORD PTR [EAX],ESP
    0000:014F 3032 XOR BYTE PTR [EDX],DH
    0000:0151 204231 AND BYTE PTR [EDX+31],AL
    0000:0154 2030 AND BYTE PTR [EAX],DH
    0000:0156 3220 XOR AH,BYTE PTR [EAX]
    0000:0158 42 INC EDX
    0000:0159 3120 XOR DWORD PTR [EAX],ESP
    0000:015B 3032 XOR BYTE PTR [EDX],DH
    0000:015D 204231 AND BYTE PTR [EDX+31],AL
    0000:0160 2030 AND BYTE PTR [EAX],DH
    0000:0162 3220 XOR AH,BYTE PTR [EAX]
    0000:0164 202E AND BYTE PTR [ESI],CH
    0000:0166 2E CS:
    0000:0167 2E CS:
    0000:0168 2E CS:
    0000:0169 2E CS:
    0000:016A 2E CS:
    0000:016B 2E CS:
    0000:016C 2E CS:
    0000:016D 2E CS:
    0000:016E 2E CS:
    0000:016F 2E CS:
    0000:0170 2E CS:
    0000:0171 2E CS:
    0000:0172 2E CS:
    0000:0173 2E CS:
    0000:0174 2E CS:
    0000:0175 0D0A307830 OR EAX,3078300A
    0000:017A 3035303A2042 XOR BYTE PTR [42203A30],DH
    0000:0180 3120 XOR DWORD PTR [EAX],ESP
    0000:0182 3032 XOR BYTE PTR [EDX],DH
    0000:0184 204231 AND BYTE PTR [EDX+31],AL
    0000:0187 2030 AND BYTE PTR [EAX],DH
    0000:0189 3220 XOR AH,BYTE PTR [EAX]
    0000:018B 42 INC EDX
    0000:018C 3120 XOR DWORD PTR [EAX],ESP
    0000:018E 3032 XOR BYTE PTR [EDX],DH
    0000:0190 204231 AND BYTE PTR [EDX+31],AL
    0000:0193 2030 AND BYTE PTR [EAX],DH
    0000:0195 3220 XOR AH,BYTE PTR [EAX]
    0000:0197 42 INC EDX
    0000:0198 3120 XOR DWORD PTR [EAX],ESP
    0000:019A 3032 XOR BYTE PTR [EDX],DH
    0000:019C 204231 AND BYTE PTR [EDX+31],AL
    0000:019F 2030 AND BYTE PTR [EAX],DH
    0000:01A1 3220 XOR AH,BYTE PTR [EAX]
    0000:01A3 42 INC EDX
    0000:01A4 3120 XOR DWORD PTR [EAX],ESP
    0000:01A6 3032 XOR BYTE PTR [EDX],DH
    0000:01A8 204231 AND BYTE PTR [EDX+31],AL
    0000:01AB 2030 AND BYTE PTR [EAX],DH
    0000:01AD 3220 XOR AH,BYTE PTR [EAX]
    0000:01AF 202E AND BYTE PTR [ESI],CH
    0000:01B1 2E CS:
    0000:01B2 2E CS:
    0000:01B3 2E CS:
    0000:01B4 2E CS:
    0000:01B5 2E CS:
    0000:01B6 2E CS:
    0000:01B7 2E CS:
    0000:01B8 2E CS:
    0000:01B9 2E CS:
    0000:01BA 2E CS:
    0000:01BB 2E CS:
    0000:01BC 2E CS:
    0000:01BD 2E CS:
    0000:01BE 2E CS:
    0000:01BF 2E CS:
    0000:01C0 0D0A307830 OR EAX,3078300A
    0000:01C5 3036 XOR BYTE PTR [ESI],DH
    0000:01C7 303A XOR BYTE PTR [EDX],BH
    0000:01C9 204231 AND BYTE PTR [EDX+31],AL
    0000:01CC 2030 AND BYTE PTR [EAX],DH
    0000:01CE 3220 XOR AH,BYTE PTR [EAX]
    0000:01D0 42 INC EDX
    0000:01D1 3120 XOR DWORD PTR [EAX],ESP
    0000:01D3 3032 XOR BYTE PTR [EDX],DH
    0000:01D5 204231 AND BYTE PTR [EDX+31],AL
    0000:01D8 2030 AND BYTE PTR [EAX],DH
    0000:01DA 3220 XOR AH,BYTE PTR [EAX]
    0000:01DC 42 INC EDX
    0000:01DD 3120 XOR DWORD PTR [EAX],ESP
    0000:01DF 3032 XOR BYTE PTR [EDX],DH
    0000:01E1 204231 AND BYTE PTR [EDX+31],AL
    0000:01E4 2030 AND BYTE PTR [EAX],DH
    0000:01E6 3220 XOR AH,BYTE PTR [EAX]
    0000:01E8 42 INC EDX
    0000:01E9 3120 XOR DWORD PTR [EAX],ESP
    0000:01EB 3032 XOR BYTE PTR [EDX],DH
    0000:01ED 204231 AND BYTE PTR [EDX+31],AL
    0000:01F0 2030 AND BYTE PTR [EAX],DH
    0000:01F2 3220 XOR AH,BYTE PTR [EAX]
    0000:01F4 42 INC EDX
    0000:01F5 3120 XOR DWORD PTR [EAX],ESP
    0000:01F7 3032 XOR BYTE PTR [EDX],DH
    0000:01F9 2020 AND BYTE PTR [EAX],AH
    0000:01FB 2E CS:
    0000:01FC 2E CS:
    0000:01FD 2E CS:
    0000:01FE 2E CS:
    0000:01FF 2E CS:
    0000:0200 2E CS:
    0000:0201 2E CS:
    0000:0202 2E CS:
    0000:0203 2E CS:
    0000:0204 2E CS:
    0000:0205 2E CS:
    0000:0206 2E CS:
    0000:0207 2E CS:
    0000:0208 2E CS:
    0000:0209 2E CS:
    0000:020A 2E CS:
    0000:020B 0D0A307830 OR EAX,3078300A
    0000:0210 3037 XOR BYTE PTR [EDI],DH
    0000:0212 303A XOR BYTE PTR [EDX],BH
    0000:0214 204231 AND BYTE PTR [EDX+31],AL
    0000:0217 2030 AND BYTE PTR [EAX],DH
    0000:0219 3220 XOR AH,BYTE PTR [EAX]
    0000:021B 42 INC EDX
    0000:021C 3120 XOR DWORD PTR [EAX],ESP
    0000:021E 3032 XOR BYTE PTR [EDX],DH
    0000:0220 204231 AND BYTE PTR [EDX+31],AL
    0000:0223 2030 AND BYTE PTR [EAX],DH
    0000:0225 3220 XOR AH,BYTE PTR [EAX]
    0000:0227 42 INC EDX
    0000:0228 3120 XOR DWORD PTR [EAX],ESP
    0000:022A 3032 XOR BYTE PTR [EDX],DH
    0000:022C 204231 AND BYTE PTR [EDX+31],AL
    0000:022F 2030 AND BYTE PTR [EAX],DH
    0000:0231 3220 XOR AH,BYTE PTR [EAX]
    0000:0233 42 INC EDX
    0000:0234 3120 XOR DWORD PTR [EAX],ESP
    0000:0236 3032 XOR BYTE PTR [EDX],DH
    0000:0238 204231 AND BYTE PTR [EDX+31],AL
    0000:023B 2030 AND BYTE PTR [EAX],DH
    0000:023D 3220 XOR AH,BYTE PTR [EAX]
    0000:023F 42 INC EDX
    0000:0240 3120 XOR DWORD PTR [EAX],ESP
    0000:0242 3032 XOR BYTE PTR [EDX],DH
    0000:0244 2020 AND BYTE PTR [EAX],AH
    0000:0246 2E CS:
    0000:0247 2E CS:
    0000:0248 2E CS:
    0000:0249 2E CS:
    0000:024A 2E CS:
    0000:024B 2E CS:
    0000:024C 2E CS:
    0000:024D 2E CS:
    0000:024E 2E CS:
    0000:024F 2E CS:
    0000:0250 2E CS:
    0000:0251 2E CS:
    0000:0252 2E CS:
    0000:0253 2E CS:
    0000:0254 2E CS:
    0000:0255 2E CS:
    0000:0256 0D0A307830 OR EAX,3078300A
    0000:025B 3038 XOR BYTE PTR [EAX],BH
    0000:025D 303A XOR BYTE PTR [EDX],BH
    0000:025F 204231 AND BYTE PTR [EDX+31],AL
    0000:0262 2030 AND BYTE PTR [EAX],DH
    0000:0264 3220 XOR AH,BYTE PTR [EAX]
    0000:0266 42 INC EDX
    0000:0267 3120 XOR DWORD PTR [EAX],ESP
    0000:0269 3032 XOR BYTE PTR [EDX],DH
    0000:026B 204231 AND BYTE PTR [EDX+31],AL
    0000:026E 2030 AND BYTE PTR [EAX],DH
    0000:0270 3220 XOR AH,BYTE PTR [EAX]
    0000:0272 42 INC EDX
    0000:0273 3120 XOR DWORD PTR [EAX],ESP
    0000:0275 3032 XOR BYTE PTR [EDX],DH
    0000:0277 204231 AND BYTE PTR [EDX+31],AL
    0000:027A 2030 AND BYTE PTR [EAX],DH
    0000:027C 3220 XOR AH,BYTE PTR [EAX]
    0000:027E 42 INC EDX
    0000:027F 3120 XOR DWORD PTR [EAX],ESP
    0000:0281 3032 XOR BYTE PTR [EDX],DH
    0000:0283 204231 AND BYTE PTR [EDX+31],AL
    0000:0286 2030 AND BYTE PTR [EAX],DH
    0000:0288 3220 XOR AH,BYTE PTR [EAX]
    0000:028A 42 INC EDX
    0000:028B 3120 XOR DWORD PTR [EAX],ESP
    0000:028D 3032 XOR BYTE PTR [EDX],DH
    0000:028F 2020 AND BYTE PTR [EAX],AH
    0000:0291 2E CS:
    0000:0292 2E CS:
    0000:0293 2E CS:
    0000:0294 2E CS:
    0000:0295 2E CS:
    0000:0296 2E CS:
    0000:0297 2E CS:
    0000:0298 2E CS:
    0000:0299 2E CS:
    0000:029A 2E CS:
    0000:029B 2E CS:
    0000:029C 2E CS:
    0000:029D 2E CS:
    0000:029E 2E CS:
    0000:029F 2E CS:
    0000:02A0 2E CS:
    0000:02A1 0D0A307830 OR EAX,3078300A
    0000:02A6 3039 XOR BYTE PTR [ECX],BH
    0000:02A8 303A XOR BYTE PTR [EDX],BH
    0000:02AA 204231 AND BYTE PTR [EDX+31],AL
    0000:02AD 2030 AND BYTE PTR [EAX],DH
    0000:02AF 3220 XOR AH,BYTE PTR [EAX]
    0000:02B1 42 INC EDX
    0000:02B2 3120 XOR DWORD PTR [EAX],ESP
    0000:02B4 3032 XOR BYTE PTR [EDX],DH
    0000:02B6 204231 AND BYTE PTR [EDX+31],AL
    0000:02B9 2030 AND BYTE PTR [EAX],DH
    0000:02BB 3220 XOR AH,BYTE PTR [EAX]
    0000:02BD 42 INC EDX
    0000:02BE 3120 XOR DWORD PTR [EAX],ESP
    0000:02C0 3032 XOR BYTE PTR [EDX],DH
    0000:02C2 204231 AND BYTE PTR [EDX+31],AL
    0000:02C5 2030 AND BYTE PTR [EAX],DH
    0000:02C7 3220 XOR AH,BYTE PTR [EAX]
    0000:02C9 42 INC EDX
    0000:02CA 3120 XOR DWORD PTR [EAX],ESP
    0000:02CC 3032 XOR BYTE PTR [EDX],DH
    0000:02CE 204231 AND BYTE PTR [EDX+31],AL
    0000:02D1 2030 AND BYTE PTR [EAX],DH
    0000:02D3 3220 XOR AH,BYTE PTR [EAX]
    0000:02D5 42 INC EDX
    0000:02D6 3120 XOR DWORD PTR [EAX],ESP
    0000:02D8 3032 XOR BYTE PTR [EDX],DH
    0000:02DA 2020 AND BYTE PTR [EAX],AH
    0000:02DC 2E CS:
    0000:02DD 2E CS:
    0000:02DE 2E CS:
    0000:02DF 2E CS:
    0000:02E0 2E CS:
    0000:02E1 2E CS:
    0000:02E2 2E CS:
    0000:02E3 2E CS:
    0000:02E4 2E CS:
    0000:02E5 2E CS:
    0000:02E6 2E CS:
    0000:02E7 2E CS:
    0000:02E8 2E CS:
    0000:02E9 2E CS:
    0000:02EA 2E CS:
    0000:02EB 2E CS:
    0000:02EC 0D0A307830 OR EAX,3078300A
    0000:02F1 304130 XOR BYTE PTR [ECX+30],AL
    0000:02F4 3A20 CMP AH,BYTE PTR [EAX]
    0000:02F6 42 INC EDX
    0000:02F7 3120 XOR DWORD PTR [EAX],ESP
    0000:02F9 3032 XOR BYTE PTR [EDX],DH
    0000:02FB 204231 AND BYTE PTR [EDX+31],AL
    0000:02FE 2030 AND BYTE PTR [EAX],DH
    0000:0300 3220 XOR AH,BYTE PTR [EAX]
    0000:0302 42 INC EDX
    0000:0303 3120 XOR DWORD PTR [EAX],ESP
    0000:0305 3032 XOR BYTE PTR [EDX],DH
    0000:0307 204231 AND BYTE PTR [EDX+31],AL
    0000:030A 2030 AND BYTE PTR [EAX],DH
    0000:030C 3220 XOR AH,BYTE PTR [EAX]
    0000:030E 42 INC EDX
    0000:030F 3120 XOR DWORD PTR [EAX],ESP
    0000:0311 3032 XOR BYTE PTR [EDX],DH
    0000:0313 204231 AND BYTE PTR [EDX+31],AL
    0000:0316 2030 AND BYTE PTR [EAX],DH
    0000:0318 3220 XOR AH,BYTE PTR [EAX]
    0000:031A 42 INC EDX
    0000:031B 3120 XOR DWORD PTR [EAX],ESP
    0000:031D 3032 XOR BYTE PTR [EDX],DH
    0000:031F 204231 AND BYTE PTR [EDX+31],AL
    0000:0322 2030 AND BYTE PTR [EAX],DH
    0000:0324 3220 XOR AH,BYTE PTR [EAX]
    0000:0326 202E AND BYTE PTR [ESI],CH
    0000:0328 2E CS:
    0000:0329 2E CS:
    0000:032A 2E CS:
    0000:032B 2E CS:
    0000:032C 2E CS:
    0000:032D 2E CS:
    0000:032E 2E CS:
    0000:032F 2E CS:
    0000:0330 2E CS:
    0000:0331 2E CS:
    0000:0332 2E CS:
    0000:0333 2E CS:
    0000:0334 2E CS:
    0000:0335 2E CS:
    0000:0336 2E CS:
    0000:0337 0D0A307830 OR EAX,3078300A
    0000:033C 304230 XOR BYTE PTR [EDX+30],AL
    0000:033F 3A20 CMP AH,BYTE PTR [EAX]
    0000:0341 42 INC EDX
    0000:0342 3120 XOR DWORD PTR [EAX],ESP
    0000:0344 3032 XOR BYTE PTR [EDX],DH
    0000:0346 204231 AND BYTE PTR [EDX+31],AL
    0000:0349 2030 AND BYTE PTR [EAX],DH
    0000:034B 3220 XOR AH,BYTE PTR [EAX]
    0000:034D 42 INC EDX
    0000:034E 3120 XOR DWORD PTR [EAX],ESP
    0000:0350 3032 XOR BYTE PTR [EDX],DH
    0000:0352 204231 AND BYTE PTR [EDX+31],AL
    0000:0355 2030 AND BYTE PTR [EAX],DH
    0000:0357 3220 XOR AH,BYTE PTR [EAX]
    0000:0359 42 INC EDX
    0000:035A 3120 XOR DWORD PTR [EAX],ESP
    0000:035C 3032 XOR BYTE PTR [EDX],DH
    0000:035E 204231 AND BYTE PTR [EDX+31],AL
    0000:0361 2030 AND BYTE PTR [EAX],DH
    0000:0363 3220 XOR AH,BYTE PTR [EAX]
    0000:0365 42 INC EDX
    0000:0366 3120 XOR DWORD PTR [EAX],ESP
    0000:0368 3032 XOR BYTE PTR [EDX],DH
    0000:036A 204231 AND BYTE PTR [EDX+31],AL
    0000:036D 2030 AND BYTE PTR [EAX],DH
    0000:036F 3220 XOR AH,BYTE PTR [EAX]
    0000:0371 202E AND BYTE PTR [ESI],CH
    0000:0373 2E CS:
    0000:0374 2E CS:
    0000:0375 2E CS:
    0000:0376 2E CS:
    0000:0377 2E CS:
    0000:0378 2E CS:
    0000:0379 2E CS:
    0000:037A 2E CS:
    0000:037B 2E CS:
    0000:037C 2E CS:
    0000:037D 2E CS:
    0000:037E 2E CS:
    0000:037F 2E CS:
    0000:0380 2E CS:
    0000:0381 2E CS:
    0000:0382 0D0A307830 OR EAX,3078300A
    0000:0387 304330 XOR BYTE PTR [EBX+30],AL
    0000:038A 3A20 CMP AH,BYTE PTR [EAX]
    0000:038C 42 INC EDX
    0000:038D 3120 XOR DWORD PTR [EAX],ESP
    0000:038F 3032 XOR BYTE PTR [EDX],DH
    0000:0391 204231 AND BYTE PTR [EDX+31],AL
    0000:0394 2030 AND BYTE PTR [EAX],DH
    0000:0396 3220 XOR AH,BYTE PTR [EAX]
    0000:0398 42 INC EDX
    0000:0399 3120 XOR DWORD PTR [EAX],ESP
    0000:039B 3032 XOR BYTE PTR [EDX],DH
    0000:039D 204231 AND BYTE PTR [EDX+31],AL
    0000:03A0 2030 AND BYTE PTR [EAX],DH
    0000:03A2 3220 XOR AH,BYTE PTR [EAX]
    0000:03A4 42 INC EDX
    0000:03A5 3120 XOR DWORD PTR [EAX],ESP
    0000:03A7 3032 XOR BYTE PTR [EDX],DH
    0000:03A9 204231 AND BYTE PTR [EDX+31],AL
    0000:03AC 2030 AND BYTE PTR [EAX],DH
    0000:03AE 3220 XOR AH,BYTE PTR [EAX]
    0000:03B0 42 INC EDX
    0000:03B1 3120 XOR DWORD PTR [EAX],ESP
    0000:03B3 3032 XOR BYTE PTR [EDX],DH
    0000:03B5 204231 AND BYTE PTR [EDX+31],AL
    0000:03B8 2030 AND BYTE PTR [EAX],DH
    0000:03BA 3220 XOR AH,BYTE PTR [EAX]
    0000:03BC 202E AND BYTE PTR [ESI],CH
    0000:03BE 2E CS:
    0000:03BF 2E CS:
    0000:03C0 2E CS:
    0000:03C1 2E CS:
    0000:03C2 2E CS:
    0000:03C3 2E CS:
    0000:03C4 2E CS:
    0000:03C5 2E CS:
    0000:03C6 2E CS:
    0000:03C7 2E CS:
    0000:03C8 2E CS:
    0000:03C9 2E CS:
    0000:03CA 2E CS:
    0000:03CB 2E CS:
    0000:03CC 2E CS:
    0000:03CD 0D0A307830 OR EAX,3078300A
    0000:03D2 3044303A XOR BYTE PTR [EAX+ESI+3A],AL
    0000:03D6 204231 AND BYTE PTR [EDX+31],AL
    0000:03D9 2030 AND BYTE PTR [EAX],DH
    0000:03DB 3220 XOR AH,BYTE PTR [EAX]
    0000:03DD 42 INC EDX
    0000:03DE 3120 XOR DWORD PTR [EAX],ESP
    0000:03E0 3032 XOR BYTE PTR [EDX],DH
    0000:03E2 204231 AND BYTE PTR [EDX+31],AL
    0000:03E5 2030 AND BYTE PTR [EAX],DH
    0000:03E7 3220 XOR AH,BYTE PTR [EAX]
    0000:03E9 42 INC EDX
    0000:03EA 3120 XOR DWORD PTR [EAX],ESP
    0000:03EC 3032 XOR BYTE PTR [EDX],DH
    0000:03EE 204231 AND BYTE PTR [EDX+31],AL
    0000:03F1 2030 AND BYTE PTR [EAX],DH
    0000:03F3 3220 XOR AH,BYTE PTR [EAX]
    0000:03F5 42 INC EDX
    0000:03F6 3120 XOR DWORD PTR [EAX],ESP
    0000:03F8 3032 XOR BYTE PTR [EDX],DH
    0000:03FA 204231 AND BYTE PTR [EDX+31],AL
    0000:03FD 2030 AND BYTE PTR [EAX],DH
    0000:03FF 3220 XOR AH,BYTE PTR [EAX]
    0000:0401 42 INC EDX
    0000:0402 3120 XOR DWORD PTR [EAX],ESP
    0000:0404 3032 XOR BYTE PTR [EDX],DH
    0000:0406 2020 AND BYTE PTR [EAX],AH
    0000:0408 2E CS:
    0000:0409 2E CS:
    0000:040A 2E CS:
    0000:040B 2E CS:
    0000:040C 2E CS:
    0000:040D 2E CS:
    0000:040E 2E CS:
    0000:040F 2E CS:
    0000:0410 2E CS:
    0000:0411 2E CS:
    0000:0412 2E CS:
    0000:0413 2E CS:
    0000:0414 2E CS:
    0000:0415 2E CS:
    0000:0416 2E CS:
    0000:0417 2E CS:
    0000:0418 0D0A307830 OR EAX,3078300A
    0000:041D 304530 XOR BYTE PTR [EBP+30],AL
    0000:0420 3A20 CMP AH,BYTE PTR [EAX]
    0000:0422 42 INC EDX
    0000:0423 3120 XOR DWORD PTR [EAX],ESP
    0000:0425 3032 XOR BYTE PTR [EDX],DH
    0000:0427 204231 AND BYTE PTR [EDX+31],AL
    0000:042A 2030 AND BYTE PTR [EAX],DH
    0000:042C 3220 XOR AH,BYTE PTR [EAX]
    0000:042E 42 INC EDX
    0000:042F 3120 XOR DWORD PTR [EAX],ESP
    0000:0431 3032 XOR BYTE PTR [EDX],DH
    0000:0433 204231 AND BYTE PTR [EDX+31],AL
    0000:0436 2030 AND BYTE PTR [EAX],DH
    0000:0438 3220 XOR AH,BYTE PTR [EAX]
    0000:043A 42 INC EDX
    0000:043B 3120 XOR DWORD PTR [EAX],ESP
    0000:043D 3032 XOR BYTE PTR [EDX],DH
    0000:043F 204231 AND BYTE PTR [EDX+31],AL
    0000:0442 2030 AND BYTE PTR [EAX],DH
    0000:0444 3220 XOR AH,BYTE PTR [EAX]
    0000:0446 42 INC EDX
    0000:0447 3120 XOR DWORD PTR [EAX],ESP
    0000:0449 3032 XOR BYTE PTR [EDX],DH
    0000:044B 204231 AND BYTE PTR [EDX+31],AL
    0000:044E 2030 AND BYTE PTR [EAX],DH
    0000:0450 3220 XOR AH,BYTE PTR [EAX]
    0000:0452 202E AND BYTE PTR [ESI],CH
    0000:0454 2E CS:
    0000:0455 2E CS:
    0000:0456 2E CS:
    0000:0457 2E CS:
    0000:0458 2E CS:
    0000:0459 2E CS:
    0000:045A 2E CS:
    0000:045B 2E CS:
    0000:045C 2E CS:
    0000:045D 2E CS:
    0000:045E 2E CS:
    0000:045F 2E CS:
    0000:0460 2E CS:
    0000:0461 2E CS:
    0000:0462 2E CS:
    0000:0463 0D OR EAX,!
    0000:0464 0A00 OR AL,BYTE PTR [EAX]

    ----- Original Message -----
    From: "Benny Teh (M_IT Ops)" <BENNYTEH@M.CARSEMS.COM.MY>
    To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
    Sent: Friday, April 02, 2004 10:23 AM
    Subject: Suspicious WebDAV Traffic

    > Hi guys,
    >
    > We've been getting quite a number of suspicious HTTP traffic to our
    > webservers. It seems like another network worm exploiting buffer overflow
    > vulnerabilities. Attached below is a snippet of what we're getting from our
    > Snort IDS. Anyone has any clue on what this is all about ?
    >
    > [**] WEB-MISC WebDAV search access [**]
    > 04/01-18:32:41.105461 0:60:97:E1:72:5E -> 0:A0:C9:D8:57:B5 type:0x800
    > len:0x5EA
    > x.x.x.x:1614 -> x.x.x.x:80 TCP TTL:113 TOS:0x0 ID:43801 IpLen:20 DgmLen:1500
    > DF
    > ***A**** Seq: 0x911E2A1B Ack: 0xDE4E4F7 Win: 0x4470 TcpLen: 20
    > 0x0000: 00 A0 C9 D8 57 B5 00 60 97 E1 72 5E 08 00 45 00 ...W..`..r^..E.
    > 0x0010: 05 DC AB 19 40 00 71 06 73 29 43 A5 DF 86 C0 A8 ...@.q.s)C.....
    > 0x0020: 02 05 06 4E 00 50 91 1E 2A 1B 0D E4 E4 F7 50 10 ..N.P..*.....P.
    > 0x0030: 44 70 F6 72 00 00 53 45 41 52 43 48 20 2F 90 02 Dp.r..SEARCH /..
    > 0x0040: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    > 0x0050: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    > 0x0060: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    > 0x0070: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    > 0x0080: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    > 0x0090: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    > 0x00A0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    > 0x00B0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    > 0x00C0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    > 0x00D0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    > 0x00E0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ...............
    >
    > Regards,
    > Benny T.
    > Information Security Executive
    > Carsem (M) Sdn Bhd M-site
    > <bennyteh@m.carsems.com.my>
    > Tel: (+60) 05-3123333 Ext: 332
    >
    > -----
    > NTBugtraq Editor's Note:
    >
    > Wondering how to unsubscribe from NTBugtraq? Just send a message to Listserv@listserv.ntbugtraq.com with unsubscribe ntbugtraq in the message body, you don't need a subject line. If it says you aren't subscribed, you've either subscribed with a different email address or your address has changed somehow. Just email Russ.Cooper@rc.on.ca and I'll remove you.
    > -----
    >

    -----
    NTBugtraq Editor's Note:

    Wondering how to unsubscribe from NTBugtraq? Just send a message to Listserv@listserv.ntbugtraq.com with unsubscribe ntbugtraq in the message body, you don't need a subject line. If it says you aren't subscribed, you've either subscribed with a different email address or your address has changed somehow. Just email Russ.Cooper@rc.on.ca and I'll remove you.
    -----


  • Next message: Russ: "FW: Alert: Microsoft Security Bulletin MS04-011 - Security Update for Microsoft Windows (835732)"