RE: Interesting little piece of malware...

Port 113 is IDENT and used for IRC.
This likely means that the machines are running an IRC bot and this IDENT
service is used as part of the identification.

-----Original Message-----
From: Jim Becher [mailto:jim@xxxxxxxxxx] 
Sent: woensdag 12 mei 2004 6:48
To: intrusions@xxxxxxxxxxxxx
Subject: [Intrusions] Interesting little piece of malware...


        I have been out of town for the past 5-6 days, so I don't know if
this has
been covered here or not... hopefully not a waste of bits.

        On a couple of machines today (started first thing this morning), I
started
noticing Welchia type scanning (local class B preference, port 135, etc).  I
also noticed some IRC command and control traffic from the machines that
were responsible for the scanning.  The scanning activity were all from were
all WinXP and Win2K machines.  Symantec anti-virus running, updated sigs in
the last few days.  Symantec wasn't flagging anything.

        I notified the netblock owner of the IP address space where the IRC
server
was running.  The IRC server was full -- it indicated that the maximum
number of connections.  The IRC server was running on port 7000.  I have
packets from the IRC sessions, but they are not handy at the moment (ping,
pong, [Scan], several hundred invisible clients, "Exploiting x.x.x.x", and
so forth).

        Using pstools, I took a listing of the running processes.  Each of
the
machines seem to have a process running with what appeared to be a randomly
generated name of around 6 or 7 characters.  I pushed fport over to the
infected machine, and retrieved the name of the executeable responsible
(<process name>.exe) -- a hidden executeable in system root (attributes
SHR).

        From an external perspective, I ran a quick portscan and noticed
that
113/tcp was listening -- which I thought odd since the machines were
WinXP/Win2K.  I telnet'd to port 113, and hit return a few times.  The
response I got back was similar to:

$ telnet x.x.163.195 113
Trying x.x.163.195...
Connected to x.x.163.195.
Escape character is '^]'.

 : USERID : UNIX : <some random characters>


        I did a quick google, and nothing jumped out at me.  I assume
someone has
seen this?  The indicators did not seem to line up exactly with Agobot or
Phatbot...  No "127.0.0.1" in the hosts file, filename was not napatch.exe
or wauclt.exe.

        I should have a copy of the executeable in a few hours.  If no-one
can
point me to an existing, documented piece of malware -- I will submit it for
analysis.



-bech


_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions
===========================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
genomen om virussen in deze email of attachments te voorkomen, dient u ook
zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
aansprakelijk is voor computervirussen die veroorzaakt zijn door deze
email..

The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the sender
immediately by return e-mail. Although Orange has taken steps to ensure that
this email and attachments are free from any virus, you do need to verify
the possibility of their existence as Orange can take no responsibility for
any computer virus which might be transferred by way of this email.
===========================================================


_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions