IRCd 6667 followed by 445 SYN scan

Stephen W. Thompson thompson+unisog at pobox.upenn.edu
Fri Apr 4 17:38:25 GMT 2003


Mike,

Maybe.  Thanks for publishing the info -- we can check it out to see if
it would explain what we were seeing on a few boxes.

En paz,
Steve
-- 
Stephen W. Thompson, UPenn, ISC Information Security

You wrote:

> Any one else seeing compromised machines that are doing outbound SYN
> scans port 445 and are under control via irc port 6667?  blocking the
> 6667 traffic stops the scanning.  Compromised hosts sho w positive
> infection of W32Kwbot.E.Worm as per NAV but forensics show this as a
> different virus/w orm. I have confirmed this is not Deloder or
> Netspree as well.
>
> A file named "Yes Uninstaller.exe" found on compromised hosts written
> to Windows and system32 dir ectories at the moment of compromise.
>
>         Created directories:
>         C:\WINDOWS\System32\drivers\media\cat32
>         C:\WINDOWS\System32\drivers\media
>         Installed files:
>         C:\WINDOWS\System32\drivers\media\cat32\delttsul.exe
>         C:\WINDOWS\System32\drivers\media\cat32\doskey.exe
>         C:\WINDOWS\System32\drivers\media\cat32\usrmgr.exe
>         C:\WINDOWS\System32\drivers\media\cat32\tifflt.dll
>         C:\WINDOWS\System32\drivers\media\cat32\termsrv.exe
>         C:\WINDOWS\System32\drivers\media\cat32\TAPI.EXE
>         C:\WINDOWS\System32\drivers\media\cat32\services.exe
>         C:\WINDOWS\System32\drivers\media\cat32\rcfg.ini
>         C:\WINDOWS\System32\drivers\media\cat32\oissq400.dll
>         C:\WINDOWS\System32\drivers\media\cat32\ntds.dit
>         C:\WINDOWS\System32\drivers\media\cat32\ntbooks.exe
>         C:\WINDOWS\System32\drivers\media\cat32\hlink.bat
>         C:\WINDOWS\System32\drivers\media\cat32\faxocm.bat
>         C:\WINDOWS\System32\drivers\media\cat32\wmvdmoe2.dll
>         Created registry values:
>         Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
>         Value: Services



More information about the unisog mailing list