[Intrusions] Interesting little piece of malware...
Andrew Daviel
andrew at andrew.triumf.ca
Wed Sep 15 07:28:57 GMT 2004
On Tue, 11 May 2004, Jim Becher wrote:
>
> On a couple of machines today (started first thing this morning), I started
> noticing Welchia type scanning (local class B preference, port 135, etc). I
> also noticed some IRC command and control traffic from the machines that
> were responsible for the scanning. The scanning activity were all from were
> all WinXP and Win2K machines. Symantec anti-virus running, updated sigs in
> the last few days. Symantec wasn't flagging anything.
We have seen something similar here, though I don't have any details on
the infected machines at this point (shut down 3 and worked on #4, but it
turned out to be an unrelated problem).
There was traffic to an IRC server in Taiwan (210.240.39.17). I think it
uas used as a reporting venue. Traffic included things like:
JOIN #ur omfw
Random Port Scan started on Y.Y.x.x:135 with a delay of 5 seconds for
0 minutes using 100 threads.
PRIVMSG #ur :[Dcom135]: Exploiting IP: nnn.nnn.nnn.nnn
:[mtr]|496289!~sdhnmjf@=42ml-45.xxxxx.xx.com PRIVMSG #ur :[TFTP]:
File transfer complete to IP: nnn.nnn.nnn.nnn
(C:\WINDOWS\System32\MSupdate.exe).
This seemed to start up sometime this morning I think; at least, we
noticed the local traffic setting off alarms then.
The IRC server appeared to be running on a Windows machine used as a
webserver; Chinese text, no english. I haven't tried contacting them yet.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at triumf.ca
More information about the Intrusions
mailing list