[unisog] Re: Coordinated Scan

mnx mnx at utk.edu
Fri Mar 22 18:22:15 GMT 2002

We had 20-25 hosts affected here...still running them down and still gathering 
information...temp.exe, temp2.exe, and temp.scr found in 
c:\winnt\system32...reg entry for temp.exe on some of the hosts

more later,
Mark Newman
University of Tennessee

>===== Original Message From "Sherry M. Rogers" 
<smrogers at socrates.Berkeley.EDU> =====
>We were one of the campuses with hosts involved in the scan Tracey
>described.  Our network people blocked a couple of hosts because of what
>looked like ddos activity and we were able to correlate this with odd
>packets being flagged by our NIDS (bro) as excessive length ntp/port 123
>We identified 13 Windows hosts altogether.  When scanned with nmap there
>were two interesting ports open - a port 99 which disappeared on
>subsequent scans, and port 8888.  Connecting to port 8888 revealed that it
>was running a program written by "darkIRC".
>One of the departments involved sent us the following analysis. If
>anyone else sees this exploit, we would really like to get more
>information.  Also if you have knowledge of this darkIRC cohort - which
>is new to us.  BTW, running a "darkIRC" virus scan on the box doesn't
>find the files.
>>Attached are all of the files I could find that I believe were put there
>>by the hacker.  Below you will find both dates and times when the files
>>where copied to the computer as well as a description of what each file
>>seems to do.
>>File creations-
>>File: INDEX.dat Created on computer: 3/5/2002 8:13am Modified: 3/14/2002 
>>File: DDL32.exe Created on computer: 3/14/2002 8:12am
>>File: VMN32.exe Created on computer: 3/14/2002 8:13am
>>File: RUDL32.exe        Created on computer: 3/14/2002 8:13am
>>File: DLL32NOS.exe      Created on computer: 3/14/2002 9:51am
>>File's Action (Significance)
>>File: INDEX.dat
>>Taken from the web cache and seems to show dll32nos.exe being downloaded
>>from http://home.earthlink.net/~robertberry/dll32nos.exe
>>File: DDL32.exe
>>Extracts (but does not launch) mirc file (and associates) named as
>>temp.exe.  One of the files temp2.exe (which is a hidden file) seems to
>>be used to hide the launching of temp.exe  Temp.exe listens on port 9088
>>File: VMN32.exe
>>Extract Serve-U FTP server.  The FTP server file is named lsass.exe (also
>>the name of Microsofts Local Security Authority SubSystem file which is
>>always running on WinNT-XP boxes and therefore might go unnoticed) and
>>listens on port 43958.
>>File: RUDL32.exe
>>Creates and launches a file named sxeNN.tmp (where NN appears to be 1 or
>>two randomly selected characters).  This tmp file is the darkirc client.
>>File: DLL32NOS.exe
>>Identical to DDL32.exe except that after extracting all of the files it
>>launches the file temp.exe
>>This afternoon the computer will be formatted and rebuilt so that it can
>>be returned to the owner. If you have any thing for me to check on let me
>>know quickly.
>Sherry M. Rogers                 University of California, Berkeley
>System & Network Security        phone (510)642-7157

More information about the unisog mailing list