[Dshield] Port 445 Traffic

Danny danny at eboundary.com
Sun Mar 9 16:25:10 GMT 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

|->-----Original Message-----
|->From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
|->Behalf Of Doug White
|->Sent: Sunday, March 09, 2003 10:19 AM
|->To: General DShield Discussion List
|->Subject: Re: [Dshield] Port 445 Traffic
|->
|->Yes, We are experiencing the same - started around noon on Friday -
but
|->really
|->picked up the past 24 hours- and are coming from all over.
|->
|->======================================
|->Got DSL?  Check it out!
|->For hosting solutions http://www.clickdoug.com
|->ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
|->======================================


This was sent to the full-disclosure email lists and would probably be
the reason for this increase in port 445 scanning...


Harbin Institute of Technology & Antiy United Cert Group 
Worm.Dvldr analysis report
  
On the Mar. 8th, 2003, Harbin Institute of Technology & Antiy United
Cert Group found the abnormal network communication on several monitor
nodes of the China Telecom and the China Education and Research Network.
  
Abnormal performances are as follows:
1.       The monitor nodes find that several nodes send the TCP 445
package to a large quantity of target host.
2.       Each abnormal node send the packages to the consecutive IP
address.
Through the reverse checking we found the commonness on the target host.
1.       The operating system is Windows        NT/2000.
2.       The operating system opened both the 5800 and 5900 ports of the
AT&T remote manager.

After that, we contacted with administrator of the target host in time
and obtained the samples. The first checking results are as follows:
Under the system list, there is a executable program called Dvldr32.exe,
which process the abnormal communication by sending a large quantity of
data packages. Besides, there are several abnormal files and abnormal
regedit key assignments. The lists of abnormal files are as follows:
  
File name the possible directory size 
dvldr32.exe  %windir%/system32(NT/2K) %windir%/system(9x)745,984 
explorer.exe  %windir%/fonts 212,992 
omnithread_rt.dll %windir%/fonts 57,344 
VNCHooks.dll %windir%/fonts 32,768 
rundll32.exe %windir%/fonts 29,336 
cygwin1.dll %windir%/system32(NT/2K)
%windir%/system(9x)944,968 
INST.exe C:Documents and Settings\All Users\Start Menu\Programs\Startup
C:\WINDOWS\Start Menu\Programs\Startup\inst.exe C:\WINNT\All Users\Start
Menu\Programs\Startup\inst.exe 684,562 

The regedit table is modified as follows: 
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMan"="C:\\WINDOWS\\Fonts\\rundll32.exe"
"Explorer"="C:\\WINDOWS\\Fonts\\explorer.exe"
[HKEY_CURRENT_USER\Software\ORL]

[HKEY_CURRENT_USER\Software\ORL\WinVNC3]
"SocketConnect"=dword:00000001
"AutoPortSelect"=dword:00000001
"InputsEnabled"=dword:00000001 "LocalInputsDisabled"=dword:00000000
"IdleTimeout"=dword:00000000
"QuerySetting"=dword:00000002
"QueryTimeout"=dword:0000000a
"Password"=hex:[here we do some shields]
"PollUnderCursor"=dword:00000001 "PollForeground"=dword:00000001
"PollFullScreen"=dword:00000001 "OnlyPollConsole"=dword:00000001
"OnlyPollOnEvent"=dword:00000001

[HKEY_CURRENT_USER\Software\ORL\VNCHooks]

[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs]

[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\EXPLORER.EXE]
The forwarded analysis is as follows:
   Dvldr32.exe is packed by Aspack. This virus, which is written by MS
VC6.0, send out amount of packages with the aim to infect the network.
This File also  include 3 executable files. Two of them are "Psexesvc"
and "Remote process lancher". They are command tools which published by
Sysinternals Corporation. They don't create to the file system, and been
called by the Dvldr32.exe only. Another program is a install package
which made by a uncommon install tool. The package include 5 files,3 of
them (Explorer.exe,VNCdll32.dll and Omnithread_rt.dll) are networking
managerial tools which belong to the corporation AT&T.
   Rundll32.dll is not the normal one in the Microsoft operating system.
It maybe a Linux's program which transplanted to Windows. We have been
still analysising the basic principle in it. Spread principle:
   When running , the program will select 2 IP section in random and
connect the target host's port on 445 to get networking package. Once
the target machine's administrator's password is null or in the list
which   included  in this file , the program will copy itself to its
system.
Backdoor:
   The virus uses the regular system managerial tool--VCN(edition is
3.3.3.9) as its backdoor, and installs it to the target computer's
operating system. Though some technical disposals, the icon will not
appear when VNC is running. Because the VNC cannot connect the computer
when the machine is locked, this function is limited. User can do:
  The user with NT/2K OS must set a strong password of admin at first,
then use AntiyPort http://www.antiy.net/download/antiyports.exe
 or other process managerial tools to kill  the process named
dvldr32.exe.After doing this, user must delete all files appeared in the
above table, and then  restart your computer.  
  
The special kill tool & the forwarded response message:
Harbin Institute of Technology & Antiy United Cert Group will go on
paying our attentions on the developing state of affairs. And we will
release the in-depth analysis report. We will also release two copies
(both the Chinese and the English ones) of the special kill tool at
about 21:40 Beijing Time (the Mar. 8th, 2003 ) On the Mar.9th, 2003 of
the Beijing Time, the anti-virus database will be updated.  
after that,you can download Antiy Ghostbusters datebase file here
http://www.antiy.net/update/ex.gbl
you can overwrite same file in Antiy Ghostbusters install path(default
is :\Program Files\Antiy Labs\Antiy Ghostbusters) after that you can
check this worm by Antiy Ghostbusters. more information of Antiy
ghostbusters http://www.antiy.net/ghostbusters password list of this
worm
.data:0040A038                 dd offset aAdmin        ; "admin"
.data:0040A03C                 dd offset aAdmin_0      ; "Admin"
.data:0040A040                 dd offset aPassword     ; "password"
.data:0040A044                 dd offset aPassword_0   ; "Password"
.data:0040A048                 dd offset a1            ; "1"
.data:0040A04C                 dd offset a12           ; "12"
.data:0040A050                 dd offset a123          ; "123"
.data:0040A054                 dd offset a1234         ; "1234"
.data:0040A058                 dd offset a12345        ; "12345"
.data:0040A05C                 dd offset a123456       ; "123456"
.data:0040A060                 dd offset a1234567      ; "1234567"
.data:0040A064                 dd offset a12345678     ; "12345678"
.data:0040A068                 dd offset a123456789    ; "123456789"
.data:0040A06C                 dd offset a654321       ; "654321"
.data:0040A070                 dd offset a54321        ; "54321"
.data:0040A074                 dd offset a111          ; "111"
.data:0040A078                 dd offset a000000       ; "000000"
.data:0040A07C                 dd offset a00000000     ; "00000000"
.data:0040A080                 dd offset a11111111     ; "11111111"
.data:0040A084                 dd offset a88888888     ; "88888888"
.data:0040A088                 dd offset aPass         ; "pass"
.data:0040A08C                 dd offset aPasswd       ; "passwd"
.data:0040A090                 dd offset aDatabase     ; "database"
.data:0040A094                 dd offset aAbcd         ; "abcd"
.data:0040A098                 dd offset aAbc123       ; "abc123"
.data:0040A09C                 dd offset aOracle       ; "oracle"
.data:0040A0A0                 dd offset aSybase       ; "sybase"
.data:0040A0A4                 dd offset a123qwe       ; "123qwe"
.data:0040A0A8                 dd offset aServer       ; "server"
.data:0040A0AC                 dd offset aComputer     ; "computer"
.data:0040A0B0                 dd offset aInternet     ; "Internet"
.data:0040A0B4                 dd offset aSuper        ; "super"
.data:0040A0B8                 dd offset a123asd       ; "123asd"
.data:0040A0BC                 dd offset aIhavenopass  ; "ihavenopass"
.data:0040A0C0                 dd offset aGodblessyou  ; "godblessyou"
.data:0040A0C4                 dd offset aEnable       ; "enable"
.data:0040A0C8                 dd offset aXp           ; "xp"
.data:0040A0CC                 dd offset a2002         ; "2002"
.data:0040A0D0                 dd offset a2003         ; "2003"
.data:0040A0D4                 dd offset a2600         ; "2600"
.data:0040A0D8                 dd offset a0            ; "0"
.data:0040A0DC                 dd offset a110          ; "110"
.data:0040A0E0                 dd offset a111111       ; "111111"
.data:0040A0E4                 dd offset a121212       ; "121212"
.data:0040A0E8                 dd offset a123123       ; "123123"
.data:0040A0EC                 dd offset a1234qwer     ; "1234qwer"
.data:0040A0F0                 dd offset a123abc       ; "123abc"
.data:0040A0F4                 dd offset a007          ; "007"
.data:0040A0F8                 dd offset aAlpha        ; "alpha"
.data:0040A0FC                 dd offset aPatrick      ; "patrick"
.data:0040A100                 dd offset aPat          ; "pat"
.data:0040A104                 dd offset aAdministrator ;
"administrator"
.data:0040A108                 dd offset aRoot         ; "root"
.data:0040A10C                 dd offset aSex          ; "sex"
.data:0040A110                 dd offset aGod          ; "god"
.data:0040A114                 dd offset aFoobar       ; "foobar"
.data:0040A118                 dd offset aA            ; "a"
.data:0040A11C                 dd offset aAaa          ; "aaa"
.data:0040A120                 dd offset aAbc          ; "abc"
.data:0040A124                 dd offset aTest         ; "test"
.data:0040A128                 dd offset aTest123      ; "test123"
.data:0040A12C                 dd offset aTemp         ; "temp"
.data:0040A130                 dd offset aTemp123      ; "temp123"
.data:0040A134                 dd offset aWin          ; "win"
.data:0040A138                 dd offset aPc           ; "pc"
.data:0040A13C                 dd offset aAsdf         ; "asdf"
.data:0040A140                 dd offset aSecret       ; "secret"
.data:0040A144                 dd offset aQwer         ; "qwer"
.data:0040A148                 dd offset aYxcv         ; "yxcv"
.data:0040A14C                 dd offset aZxcv         ; "zxcv"
.data:0040A150                 dd offset aHome         ; "home"
.data:0040A154                 dd offset aXxx          ; "xxx"
.data:0040A158                 dd offset aOwner        ; "owner"
.data:0040A15C                 dd offset aLogin        ; "login"
.data:0040A160                 dd offset aLogin_0      ; "Login"
.data:0040A164                 dd offset aPwd          ; "pwd"
.data:0040A168                 dd offset aPass         ; "pass"
.data:0040A16C                 dd offset aLove         ; "love"
.data:0040A170                 dd offset aMypc         ; "mypc"
.data:0040A174                 dd offset aMypc123      ; "mypc123"
.data:0040A178                 dd offset aAdmin123     ; "admin123"
.data:0040A17C                 dd offset aPw123        ; "pw123"
.data:0040A180                 dd offset aMypass       ; "mypass"
.data:0040A184                 dd offset aMypass123    ; "mypass123"
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Cheers
Danny
Network Security Engineer


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPmtq5X8l+vsju1DoEQIZmwCg7F5vKjse9BflYT3Sw17R1LQKKnEAni7t
jS6k4Rdb8OUM0+JAhijF+Tzg
=xPgF
-----END PGP SIGNATURE-----



More information about the list mailing list