[unisog] IRCd 6667 followed by 445 SYN scan

Chris Garrod garrod at noc.ucsd.edu
Fri Apr 4 17:16:05 GMT 2003


"Harris, Michael C." <HarrisMC at health.missouri.edu> wrote:

> Delivered-To: mailing list unisog at sans.org
> Date: Thu, 3 Apr 2003 22:33:55 -0600
> Message-ID: <C8B8CBB239CC934FB690C485B0A88AB00F822C at UMH-EMAIL1.umh.edu>
> 
> Any one else seeing compromised machines that are doing outbound SYN scans port 445 and are under control via irc port 6667?  blocking the 6667 traffic stops the scanning.  Compromised hosts show positive infection of W32Kwbot.E.Worm as per NAV but forensics show this as a different virus/worm. I have confirmed this is not Deloder or Netspree as well.  
>  
> A file named "Yes Uninstaller.exe" found on compromised hosts written to Windows and system32 directories at the moment of compromise.
> 
> 	Created directories:
> 	C:\WINDOWS\System32\drivers\media\cat32
> 	C:\WINDOWS\System32\drivers\media
> 	Installed files:
> 	C:\WINDOWS\System32\drivers\media\cat32\delttsul.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\doskey.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\usrmgr.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\tifflt.dll
> 	C:\WINDOWS\System32\drivers\media\cat32\termsrv.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\TAPI.EXE
> 	C:\WINDOWS\System32\drivers\media\cat32\services.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\rcfg.ini
> 	C:\WINDOWS\System32\drivers\media\cat32\oissq400.dll
> 	C:\WINDOWS\System32\drivers\media\cat32\ntds.dit
> 	C:\WINDOWS\System32\drivers\media\cat32\ntbooks.exe
> 	C:\WINDOWS\System32\drivers\media\cat32\hlink.bat
> 	C:\WINDOWS\System32\drivers\media\cat32\faxocm.bat
> 	C:\WINDOWS\System32\drivers\media\cat32\wmvdmoe2.dll
> 	Created registry values:
> 	Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
> 	Value: Services
> 	
> 
> 	Mike 
> 
> 	-------------------------------------------------- 
> 	Michael C Harris 
> 	System Security Analyst 
> 	University of Missouri Health Center 
> 
> 	harrismc at health.missouri.edu 
> 	-------------------------------------------------- 

I saw something similar on a compromized laptop.

Same directories, same files with two additions: spread.txt
and TIMER.bat.

spread.txt contains ----------------------------
There are no entries in the list.

TIMER.bat contains -----------------------------
@echo off
ping 127.0.0.1 -n 1
del msdart32.dll
del wmvdmoe2.dll
del usrmgr.exe
del hlink.bat
del spread.txt
del faxocm.bat
del tifflt.dll
del TAPI.exe
del ntds.dit
del oissq400.dll
del doskey.exe
del termsrv.exe
del ntbooks.exe
del rcfg.ini
del services.exe
del TIMER.bat

-------------------- 
Here is a directory listing after some work was done:
year mo dy  hr min GMT?          size  filename
---- -- --  -- ---             ------- --------
2003 04 01  16 07                2,800 rcfg.ini
2003 02 04  03 56               40,960 doskey.exe
2003 02 04  03 56               57,344 ntbooks.exe
2003 02 04  03 56               11,264 ntds.dit
2003 02 04  03 56               40,960 termsrv.exe
2003 02 04  03 56               53,760 usrmgr.exe
2003 02 04  03 56                8,704 wmvdmoe2.dll
2003 02 04  03 56              122,880 TAPI.EXE
2003 02 22  22 23                  211 hlink.bat
2003 03 24  23 39              526,848 s.exe
2003 03 25  01 00               17,658 tifflt.dll
2003 03 25  01 04               19,496 oissq400.dll
2003 03 25  01 59                2,328 faxocm.bat
2003 03 25  17 44              900,088 delttsul.exe
2003 03 31  15 51                   38 spread.txt
2003 04 01  14 46                  291 TIMER.bat
2003 04 01  14 46                  199 msdart32.dll
2002 07 22  20 05               88,848 services.exe

File s.exe was the original services.exe, renaming it stopped having
it try to contact port 6667 on three addresses.  After the renaming,
the CPU utilization was 100% all of it for the program services.
Copying services.exe from WinNT\System32 didn't fix that.

Removal of a few registry items -- search for cat32 -- finally got
the CPU usage back to normal values.

I took a zip of the files onto a machine with a fresh Norton update.
Scanning that directory found:
	BAT.Trojan		in faxocm.bat
	Hacktool.Flooder	in termsrv.exe and usrmgr.exe
	IRC Trojan		in oissq400.dll
	Trojan dropper		in delttsul.exe
The Norton Antivirus Repair Wizard was unable to repair them.

Norton did not find these on the compromised host.  I'm going to
look at it again.  I may have turned off bad behavior but not gotten
rid of all of it.  I've got to get back there now.  More later.



--=--
Happy Computing,     Chris Garrod            http://igpp.ucsd.edu/~garrod
cgarrod at ucsd.edu     Minister of Networks        858-534-4870  fax...2902
Inst. of Geophysics and Planetary Physics, UCSD, La Jolla, CA  92093-0225



More information about the unisog mailing list