[unisog] Anyone recognize what this one is?

Anderson Johnston andy at umbc.edu
Wed Aug 6 17:47:00 GMT 2003


We get this a lot.  If you download fport
(http://www.foundstone.com/resources/termsofuse.htm?file=fport.zip)
you can see which process is attached to the local port on the connection
to 208.185.81.233:6667.  Fport will also give you the pathname for the
executable.  It's probably a 'bot.

Sysinternals Filemon
(http://www.sysinternals.com/ntw2k/source/filemon.shtml)
will let you see if the process is accessing disk files.  These could be
logs or (often) downloads of MPAA-bait.


Also, check your registry key:

	HKLM\SOFTARE\Microsoft\Windows\CurrentVersion\Run

to see if there is something starting up on reboot that you didn't put
there.  Try searching the registry for the string "firedaemon", too.
That's a common component to these 'bots.

I usually do a trinux boot and use Sleuthkit tools to generate a timeline
as well.  It's helpful in making sure that you pick out all the files that
were part of the same exploit.  It may also confirm your estimate that the
exploit started this last weekend.

Having done all of this, I *still* recommend a reformat/reinstall.  You
never know if you got it all.


On Wed, 6 Aug 2003, Peter Van Epp wrote:

> 	Anyone recognize what this may be? It was attempting to contact an
> IRC server on 208.185.81.233:6667 (unsuccessfully from here) when detected
> on someone's laptop. Our Windows folks haven't been able to identify it with
> antivirus software or the various web sites to see if it may be cleanable and
> apparantly the owner isn't thrilled with the suggestion that they format and
> reinstall (what do you mean "backup"? ...). Looks to have been caught last
> Saturday or Sunday although it may not be new. Any pointers appreciated.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
> > 	While this doesn't look like yours, the MO is similar enough that
> > yours may be a varient.
> >
>
> Yes, there is a TFTP application there, but that's about all that looks
> similar.  For your unisog pals ...
>
>
> The "services" that are installed are named
>
>   Microsoft Critical System Processor
>
> and
>
>   Microsoft DHCP Routing Client
>
> and are run out of the directory listed below.
>
>
> The root directory is stored in the Recycle bin, as in
>
>   C:\Recycler\Some-long-SID\SYSTEM32
>
> Contained in the root directory are 5 subdirectories and a bunch of
> files.
>
> In the root (system32) directory, here are the files ...
>
> The DLLs are
>
> fuck.dll
> fuckaducker.dll
> fuckaduckerfuck.dll
> masters.dll
> servers.dll
>
> There are also several SYS files
>
> file.sys
> modules.sys
> windll.sys
>
> And the executables
>
> dc.exe
> destroy.exe
> ftp.exe
> grab.exe
> id.exe
> MSSVC.exe	( which is the "services" file )
> nc.exe
> pack.exe
> sd.exe
> services.exe
> start.exe
> svchost.exe
> systray.exe
>
> There is also a text file, in the sort of a banner.  The first line
> reads
>
>   Welcome to the #WaReZFoReVeR File Serving System
>
>
> And finally an ini file, with one interesting line in it
>
> n38=%installurl http://12.168.164.99/~powellt/install.exe
>
>
> The subdirectories (and their files) are as follows
>
> DCOMUP
>
> 	install.exe
>
> FSYS
>
> 	{empty}
>
> LOGS
>
> 	{empty}
>
> MODULES
>
> 	7a69.dll
> 	bnc.dll
> 	drivenfo.dll
> 	fservcontrol.dll
> 	modules.dll
> 	nickserv.dll
> 	processes.dll
> 	pubcom.dll
> 	raw.dll
> 	scan.dll
> 	system.dll
> 	uptime.dll
>
> SOUNDS
>
> 	{empty}
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list