Fwd: Re. Port 445 issues (was: Port 80 Issues)

Jonathan Claybaugh jonathan at prioritynetworks.net
Mon Mar 10 23:30:43 UTC 2003 


A fine gentleman in New Zealand passed this information along.  A nice 
in-depth analysis.
A sign of infection seems to be heavy outbound traffic on 5800 and 5900, which 
could be useful if you want to stop an outbound flood without null routing 
the destination network.


-----Original Message-----
From: Arjen De Landgraaf
Sent: Monday, 10 March 2003 12:18 p.m.
To: 'Jonathan Claybaugh'; nanog at merit.edu
Subject: RE: Port 445 issues (was: Port 80 Issues)


E-Secure-IT issued a security alert on Saturday New Zealand Time.
Info:

This attack is currently intensifying. (See the DShield port 445 graph
website at the bottom of this alert for info on increase.)

For updates we strongly advise subscribers to activate their alert
notifications on the E-Secure-IT folder:
"Port 445 Worm info" in location:
http://www.e-secure-it.co.nz/dscgi/ds.py/View/Collection-2519

New info on 445 will not be placed in this Virus Alert folder anymore, but
only in the new port 445 folder instead.
This is done to keep the "virus alerts"  free for not 445 related alerts.

Analysis (combined info from messages collected in the port 445 folder):

Early indication of possible infection:

1. Your infrastrucutre contains server(s) running Windows 2000 or NT
2. Server(s) have (incoming) port 445 open
3. Outgoing ports 5800 and 5900 opened (activated by worm)
4. Server(s) sending large quantities of packets to 445 out with consecutive
IP's as destination addresses.
5. Servers contain a Dvldr32.exe executable (responsible for outgoing
packets)

Other indications(see also file analysis further down this alert):

Possible Abnormal files installed:				file size

dvldr32.exe  %windir%/system32(NT/2K)%windir%/system(9x)
745,984
explorer.exe  %windir%/fonts 					212,992
omnithread_rt.dll %windir%/fonts 				  57,344
VNCHooks.dll %windir%/fonts 					  32,768
rundll32.exe %windir%/fonts 					  29,336
cygwin1.dll %windir%/system32(NT/2K) 		 		944,968
cygwin1.dll %windir%/system(9x) 				944,968
C:\WINDOWS\Start Menu\Programs\Startup\inst.exe
684,562
C:\WINNT\All Users\Start Menu\Programs\Startup\inst.exe
684,562

Possible Register changes:

The regedit table is modified as follows:
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMan"="C:\\WINDOWS\\Fonts\\rundll32.exe"
"Explorer"="C:\\WINDOWS\\Fonts\\explorer.exe"
[HKEY_CURRENT_USER\Software\ORL]

[HKEY_CURRENT_USER\Software\ORL\WinVNC3]
"SocketConnect"=dword:00000001
"AutoPortSelect"=dword:00000001
"InputsEnabled"=dword:00000001
"LocalInputsDisabled"=dword:00000000
"IdleTimeout"=dword:00000000
"QuerySetting"=dword:00000002
"QueryTimeout"=dword:0000000a
"Password"=hex:[here we do some shields]
"PollUnderCursor"=dword:00000001
"PollForeground"=dword:00000001
"PollFullScreen"=dword:00000001
"OnlyPollConsole"=dword:00000001
"OnlyPollOnEvent"=dword:00000001

[HKEY_CURRENT_USER\Software\ORL\VNCHooks]
[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs]
[HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\EXPLORER.EXE]

Dvldr32.exe analysis:

Dvldr32.exe is packed by Aspack. This virus, which is written by MS VC6.0,
send out amount of packages with the aim to
infect the network. This File also  include 3 executable files. Two of them
are "Psexesvc" and "Remote process lancher".

They are command tools which published by Sysinternals Corporation. They
don't create to the file system, and been called
by the Dvldr32.exe only. Another program is a install package   which made
by a uncommon install tool. The package include
5 files,3 of them (Explorer.exe,VNCdll32.dll and Omnithread_rt.dll) are
networking managerial tools which belong to the
corporation AT&T.
Rundll32.dll is not the normal one in the Microsoft operating system. It
maybe a Linux's program which transplanted to

Windows.

Spread principle:
When running , the program will select 2 IP sections in random and connect
the target host's port on 445 to get networking
package.  Once the target machine's administrator's password is null or in
the list following here , the program will copy itself
to its system.

Passwords tried by worm to enter system:

No password
"admin"
"Admin"
"password"
"Password"
"1"
"12"
"123"
"1234"
"12345"
"123456"
"1234567"
"12345678"
"123456789"
"654321"
"54321"
"111"
"000000"
"00000000"
."11111111"
"88888888"
"pass"
"passwd"
"database"
"abcd"
"abc123"
"oracle"
"sybase"
"123qwe"
"server"
"computer"
"Internet"
"super"
"123asd"
"ihavenopass"
"godblessyou"
"enable"
"xp"
"2002"
"2003"
"2600"
"0"
"110"
"111111"
"121212"
"123123"
"1234qwer"
"123abc"
"007"
"alpha"
"patrick"
"pat"
"administrator"
"root"
"sex"
"god"
"foobar"
"a"
"aaa"
"abc"
"test"
"test123"
"temp"
"temp123"
"win"
"pc"
"asdf"
"secret"
"qwer"
"yxcv"
"zxcv"
"home"
"xxx"
"owner"
"login"
"Login"
"pwd"
"pass"
"love"
"mypc"
"mypc123"
"admin123"
"pw123"
"mypass"
"mypass123"


Backdoor:
The virus uses the regular system managerial tool VNC(edition is 3.3.3.9)
(from AT&T) as its backdoor, and installs it to the
target computer's operating system. Though some technical disposals, the
icon will not appear when VNC is running.
Because the VNC cannot connect the computer when the machine is locked, this
function is limited.

E-Secure-IT collates all available info around this new port 445 attack,

We strongly advise subscribers to activate their alert notifications on the
E-Secure-IT folder:
"Port 445 Worm info" in location:
http://www.e-secure-it.co.nz/dscgi/ds.py/View/Collection-2519

For further info on VNC and TightVNC (Virtual Network Computing) - AT&T, see
the E-Secure-IT folder:
http://www.e-secure-it.co.nz/dscgi/ds.py/View/Collection-729

Web address of updated graphs:
http://isc.incidents.org/port_details.html?port=445

E-Secure-IT Administrator
www.e-secure-it.us

More information about the NANOG mailing list