My Worm is Bigger Than Yours

• Previous message (by thread): AS22534 Leaking, anybody alive their?
• Next message (by thread): New Improved Worm nonsense
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To give others further information on this sdbot.worm (continuing from my
previous post http://www.merit.edu/mail.archives/nanog/msg01241.html) here
are the main characteristics I've found on almost all variants I've come
across. Obviously it seems to be a polymorphic form of worm meaning its
characteristics are changing. Before I begin though I would hope no one
would think its off topic since there may be one variant of this worm
flooding your network with randomly generated MAC addresses, not good on
those switches. Also I wouldn't think it's off topic since most of you are
likely already seeing, or will be seeing more traffic generated on ports
445, 80, and 82.

There seems to be one main executable, but I haven't found out which one
this is. The names I've come across so far for most of the executables are
somewhat synomous with standard Windows programs.

Microsoft program      Worm's program
serv.exe               serv32.exe
services.exe           services32.exe
lsass.exe              lsass32.exe

The following is a list of the names of the executables I've come across
which meet the criteria of this annoyance.

Setver32.exe
Regsrv32.exe
Wmmon32.exe
Mswinc.exe
Mswincv.exe
Mswinc32.exe
Systemiom.exe
Bling.exe
Rzqodp.exe
ftpd.exe

Other programs have garbled names e.g., wetyr.exe, oiure.exe

These programs typically tend to reside in:
C:\temp
C:\tmp
c:\Windows
c:\Windows\tmp
c:\Windows\system32
c:\Windows\system32\config\systemprofile

Along with the usual MSIE cache folder.

The programs have been appearing in Windows' registry as follows:

HKLM\SOFTWARE\MICROSOFT\OLE
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES
HKLM\SYSTEM\CONTROLSET001\CONTROL\LSA

Easiest thing to sort of do is ctrl-f for the names and you will usually
seem them bundled, but if you have to remove it, you want to search for
each individually since some mix things up.

Name              Data
Setver32.exe      Windows Secure
Regserv32.exe     Reg Service
Mswinc.exe        Remote Procedure Calls
Mswinc32.exe      Remote Procedure Calls
Systemiom.exe     System Updater

Others have no Data associated with them.

Now the I haven't managed to zero in on which is sending our random MAC
addresses yet but eventually I will try maybe an antivirus company can do
so before me. So let me explain a few quick oddities I've seen so far .
Get a complain student is not connected, go to dorm, repunch his port, no
dice, open the closet no dice. What was happening with his machine was his
connection would come up, then go down the second it came up, then come
right back up the second it went down. Same happened with a colleague
Bizarre, bizarre.

Another student "I can't get my Interweb" . Same thing repunch her,
repatch her machine with the latest "Microsoft Fixitall Service Pack
7354738245" still no dice. Run through reinstalling drivers, swapping
Ethernet cards, nothing. Redid some tweaks and she gets connected. Second
she did get connected. "IP ADDRESS CONFLICT WITH FOO MAC"
Only thing was after searching the network no MAC addresses with the
number it was posting existed.

This particular issue with the MAC "spoofing" if you want to call it that,
I prefer random MAC generation, was being flooded out through ports 80,
and 82. So what will happen if some worm has the characteristics built in
to generate MAC's when it tries to send out your router's or servers MAC
address? You do the math. (NOTE: Still looking into this port 80 82 issue
so could be a false alarm but nevertheless I've come across some odd
things this past week which I'd never seen.)

Most of the worms that open the port 445 connections, tend to open up
hundreds if not thousands of requests more than likely to infected
machines. After the first few occurrences I came across, I would see a
machine pop open a few hundred connections after seconds of their machine
obtaining an address. The first thing I would notice via netstats would be
some form of IRC connection going out, so the possibilities would be
either a DdoS slave, or it's sending information somewhere.

Bling is supposedly set to send "ALL_THINGS_RELATED_TO_LOGINS" as well as
Paypal information to some server, if it is sending information I can't
find where it would be storing it. Keep in mind the prior code I was able
to find regarding this annoyance where it modified antivirus software to
either kill it, or to avoid detection, as well as kill your ability to use
regedit, taskmgr, and other tools. There is the possibility it is storing
something somewhere, I haven't come across it yet.

Finally (I think) the ftpd.exe which always seems to piggyback with the
others, this little piggie more than likely may be the one turning the
infected machine to a TFTP server whereby other infected machines ensure
they stay infected. This seems to create a file called bla.txt

This text file lists the following:

Open 10.192.41.87   13501
User blah
Pass blah
Binary
Get bot.exe
Quit

Bot.exe I'm gonna assume is probably an ircbot of sorts, unfortunately I
cannot find this program anywhere, but the infected machine does connect
to irc, it does open a TFTP server, and will attempt to connect to
hundreds if not thousands of ports via 445. Most machines may have gotten
infected via file sharing, Limewire, Kazaa, KazaaLite, BitTorrent, etc.,
along with probably viewing some porn related page since I've also come
across dialer.exe's here and there.

Sorry for the long mail, and apologies if it seems offtopic to some but
remember, someone down the line is paying for this traffic. Let's hope it
doesn't becomes an epidemic like Microsoft itself.

At least you'd of been forewarned of some of the characteristics you're
likely to see.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How can we account for our present situation unless we
believe that men high in this government are concerting
to deliver us to disaster?" Joseph McCarthy "America's
Retreat from Victory"

• Previous message (by thread): AS22534 Leaking, anybody alive their?
• Next message (by thread): New Improved Worm nonsense
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]