[unisog] New worm?

Ed Zawacki edz at uic.edu
Mon Dec 1 16:41:43 GMT 2003

At 10:04 AM 12/1/2003 -0600, you wrote:
>Edward Zawacki wrote:
>>We are seeing a new worm (new to us at least ;).
>>It is scanning random IP addresses on ports 135 and 445. It has
>>scanned on sequential addresses 4 times though (unless that was
>>a separate beast).
>>Once a machine is infected, several random ports are opened
>>and at least one of them appears to be attempting to send
>>an executable.
>>On the few we scanned, port 1019 answers with:
>>220 an Cr3w Site^M^M
>>221 l8r...
>>The one machine that we looked at had a registry
>>entry in HKLM../RunServices for "Windows Updater"
>>with a value of "svthost.exe".
>>Norton run on the machine picked up Welchia and
>>quarantined two files. Welchia never scanned on
>>port 445 though...
>>Any ideas as to what this is?
>Based on the information you have presented, I'd say that it is probably 
>not a worm. Often machines that are compromised and used for Warez are 
>also set up with scanning software (someone mentioned XScan; good guess if 
>you ask me) and are used to scan other machines, looking for specific 
>vulnerabilities. The "new owners" of the compromised machine then look 
>through the scanner logs to see what machines are vulnerable to whatever 
>they are looking for, and manually compromise them, and the cycle continues...

Sorry for jumping the gun, here's what happened:

We have scripts that watch the flow logs for scanners. When a scanner
is found, an email is generated that contains the first 150 lines of flows
for the given host and a summary as to what was being scanned port-wise.

We have been running the scripts for months already and have seen many,
many Welchia flows. The flows for this host *were* new in the sense that
we haven't seen warez people exploiting the 135/445 port combo before, but
what threw me was that Welchia was found on the machine. It appeared at the
time that something was being picked up as Welchia, but was perhaps a variant.

I extracted all the flows for that host and found that after the machine 
was tagged
as a scanner, but before it was automatically filtered from the network, it 
also infected with Welchia and started scanning sequentially like a nice 
worm should and picking on port 135. The other random scans on port 135/445
continued, but on different IP addresses than the Welchia scan.

So, for us at least, seeing warez bots spreading via port 135/445 is new, 
but this
is not technically a worm. We've had about  10 other machines hit this way 
since the
first sighting.


>Brian Eckman
>Security Analyst
>OIT Security and Assurance
>University of Minnesota
>"There are 10 types of people in this world. Those who
>understand binary and those who don't."

More information about the unisog mailing list