[Intrusions] Interesting little piece of malware...

don murdoch djmurd at cox.net
Sat Sep 18 03:04:12 GMT 2004 

The behavior described below has been observed at my University for the 
past three days.  We found "nprotect.exe" (about 95K) apparently the 
culprit, and are not sure if it gets on the system via spyware or some 
such.  Very difficult to diagnose w/ systems dual infected with "msgfix" 
(if I have that right).

Yes, I am interested in a binary.

Matthew Sowers wrote:

>Seems to me to be Rbot or something very similar. Maybe Rxbot. And it's using the dcom exploit one of the kiddies new favorites right now. It's not malware, somewhere along the line you guys got rooted. Rbot is one of the favorites now I have a couple of them if you would like to take a look at them to see where it installs itself so you could get an idea of where its located. 
>  ----- Original Message ----- 
>  From: Andrew Daviel<mailto:andrew at andrew.triumf.ca> 
>  To: Intrusions List<mailto:intrusions at lists.sans.org> 
>  Sent: Wednesday, September 15, 2004 12:28 AM
>  Subject: Re: [Intrusions] Interesting little piece of malware...
>
>
>  On Tue, 11 May 2004, Jim Becher wrote:
>
>  >
>  > On a couple of machines today (started first thing this morning), I started
>  > noticing Welchia type scanning (local class B preference, port 135, etc).  I
>  > also noticed some IRC command and control traffic from the machines that
>  > were responsible for the scanning.  The scanning activity were all from were
>  > all WinXP and Win2K machines.  Symantec anti-virus running, updated sigs in
>  > the last few days.  Symantec wasn't flagging anything.
>
>  We have seen something similar here, though I don't have any details on
>  the infected machines at this point (shut down 3 and worked on #4, but it
>  turned out to be an unrelated problem).
>
>  There was traffic to an IRC server in Taiwan (210.240.39.17). I think it
>  uas used as a reporting venue. Traffic included things like:
>  JOIN #ur omfw
>  Random Port Scan started on Y.Y.x.x:135 with a delay of 5 seconds for
>  0 minutes using 100 threads.
>  PRIVMSG #ur :[Dcom135]: Exploiting IP: nnn.nnn.nnn.nnn
>  :[mtr]|496289!~sdhnmjf@=42ml-45.xxxxx.xx.com PRIVMSG #ur :[TFTP]:
>  File transfer complete to IP: nnn.nnn.nnn.nnn
>  (C:\WINDOWS\System32\MSupdate.exe).
>
>  This seemed to start up sometime this morning I think; at least, we
>  noticed the local traffic setting off alarms then.
>
>  The IRC server appeared to be running on a Windows machine used as a
>  webserver; Chinese text, no english. I haven't tried contacting them yet.
>
>  -- 
>  Andrew Daviel, TRIUMF, Canada
>  Tel. +1 (604) 222-7376
>  security at triumf.ca<mailto:security at triumf.ca>
>  _______________________________________________
>  Intrusions mailing list
>  Intrusions at lists.sans.org<mailto:Intrusions at lists.sans.org>
>  http://www.dshield.org/mailman/listinfo/intrusions<http://www.dshield.org/mailman/listinfo/intrusions>
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>
>  
>


-- 
------------------------------------------------
>From the home box of Don Murdoch, CISSP + others
SANS - Local Mentor / GCIH Grader

To fight and conquer in all your battles is not supreme
excellence; supreme excellence consists in breaking
the enemy's resistance without fighting.
-Sun Tzu, the Art of War

Opinions expressed are mine, usually right, 
and don't reflect others.  OH - and this isn't a
UETA compliant digital signature.

More information about the Intrusions mailing list