[unisog] IRCd 6667 followed by 445 SYN scan

Harris, Michael C. HarrisMC at health.missouri.edu
Fri Apr 4 04:33:55 GMT 2003


Any one else seeing compromised machines that are doing outbound SYN scans port 445 and are under control via irc port 6667?  blocking the 6667 traffic stops the scanning.  Compromised hosts show positive infection of W32Kwbot.E.Worm as per NAV but forensics show this as a different virus/worm. I have confirmed this is not Deloder or Netspree as well.  
 
A file named "Yes Uninstaller.exe" found on compromised hosts written to Windows and system32 directories at the moment of compromise.

	Created directories:
	C:\WINDOWS\System32\drivers\media\cat32
	C:\WINDOWS\System32\drivers\media
	Installed files:
	C:\WINDOWS\System32\drivers\media\cat32\delttsul.exe
	C:\WINDOWS\System32\drivers\media\cat32\doskey.exe
	C:\WINDOWS\System32\drivers\media\cat32\usrmgr.exe
	C:\WINDOWS\System32\drivers\media\cat32\tifflt.dll
	C:\WINDOWS\System32\drivers\media\cat32\termsrv.exe
	C:\WINDOWS\System32\drivers\media\cat32\TAPI.EXE
	C:\WINDOWS\System32\drivers\media\cat32\services.exe
	C:\WINDOWS\System32\drivers\media\cat32\rcfg.ini
	C:\WINDOWS\System32\drivers\media\cat32\oissq400.dll
	C:\WINDOWS\System32\drivers\media\cat32\ntds.dit
	C:\WINDOWS\System32\drivers\media\cat32\ntbooks.exe
	C:\WINDOWS\System32\drivers\media\cat32\hlink.bat
	C:\WINDOWS\System32\drivers\media\cat32\faxocm.bat
	C:\WINDOWS\System32\drivers\media\cat32\wmvdmoe2.dll
	Created registry values:
	Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
	Value: Services
	

	Mike 

	-------------------------------------------------- 
	Michael C Harris 
	System Security Analyst 
	University of Missouri Health Center 

	harrismc at health.missouri.edu 
	-------------------------------------------------- 





More information about the unisog mailing list