>From the dshield list. Cheers,
Paulo ----- Original Message ----- From: "Danny" To: "'General DShield Discussion List'" <[EMAIL PROTECTED]> Sent: Sunday, March 09, 2003 4:25 PM Subject: RE: [Dshield] Port 445 Traffic > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > |->-----Original Message----- > |->From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > |->Behalf Of Doug White > |->Sent: Sunday, March 09, 2003 10:19 AM > |->To: General DShield Discussion List > |->Subject: Re: [Dshield] Port 445 Traffic > |-> > |->Yes, We are experiencing the same - started around noon on Friday - > but > |->really > |->picked up the past 24 hours- and are coming from all over. > |-> > |->====================================== > |->Got DSL? Check it out! > |->For hosting solutions http://www.clickdoug.com > |->ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772 > |->====================================== > > > This was sent to the full-disclosure email lists and would probably be > the reason for this increase in port 445 scanning... > > > Harbin Institute of Technology & Antiy United Cert Group > Worm.Dvldr analysis report > > On the Mar. 8th, 2003, Harbin Institute of Technology & Antiy United > Cert Group found the abnormal network communication on several monitor > nodes of the China Telecom and the China Education and Research Network. > > Abnormal performances are as follows: > 1. The monitor nodes find that several nodes send the TCP 445 > package to a large quantity of target host. > 2. Each abnormal node send the packages to the consecutive IP > address. > Through the reverse checking we found the commonness on the target host. > 1. The operating system is Windows NT/2000. > 2. The operating system opened both the 5800 and 5900 ports of the > AT&T remote manager. > > After that, we contacted with administrator of the target host in time > and obtained the samples. The first checking results are as follows: > Under the system list, there is a executable program called Dvldr32.exe, > which process the abnormal communication by sending a large quantity of > data packages. Besides, there are several abnormal files and abnormal > regedit key assignments. The lists of abnormal files are as follows: > > File name the possible directory size > dvldr32.exe %windir%/system32(NT/2K) %windir%/system(9x)745,984 > explorer.exe %windir%/fonts 212,992 > omnithread_rt.dll %windir%/fonts 57,344 > VNCHooks.dll %windir%/fonts 32,768 > rundll32.exe %windir%/fonts 29,336 > cygwin1.dll %windir%/system32(NT/2K) > %windir%/system(9x)944,968 > INST.exe C:Documents and Settings\All Users\Start Menu\Programs\Startup > C:\WINDOWS\Start Menu\Programs\Startup\inst.exe C:\WINNT\All Users\Start > Menu\Programs\Startup\inst.exe 684,562 > > The regedit table is modified as follows: > REGEDIT4 > > [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] > "TaskMan"="C:\\WINDOWS\\Fonts\\rundll32.exe" > "Explorer"="C:\\WINDOWS\\Fonts\\explorer.exe" > [HKEY_CURRENT_USER\Software\ORL] > > [HKEY_CURRENT_USER\Software\ORL\WinVNC3] > "SocketConnect"=dword:00000001 > "AutoPortSelect"=dword:00000001 > "InputsEnabled"=dword:00000001 "LocalInputsDisabled"=dword:00000000 > "IdleTimeout"=dword:00000000 > "QuerySetting"=dword:00000002 > "QueryTimeout"=dword:0000000a > "Password"=hex:[here we do some shields] > "PollUnderCursor"=dword:00000001 "PollForeground"=dword:00000001 > "PollFullScreen"=dword:00000001 "OnlyPollConsole"=dword:00000001 > "OnlyPollOnEvent"=dword:00000001 > > [HKEY_CURRENT_USER\Software\ORL\VNCHooks] > > [HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs] > > [HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\EXPLORER.EXE] > The forwarded analysis is as follows: > Dvldr32.exe is packed by Aspack. This virus, which is written by MS > VC6.0, send out amount of packages with the aim to infect the network. > This File also include 3 executable files. Two of them are "Psexesvc" > and "Remote process lancher". They are command tools which published by > Sysinternals Corporation. They don't create to the file system, and been > called by the Dvldr32.exe only. Another program is a install package > which made by a uncommon install tool. The package include 5 files,3 of > them (Explorer.exe,VNCdll32.dll and Omnithread_rt.dll) are networking > managerial tools which belong to the corporation AT&T. > Rundll32.dll is not the normal one in the Microsoft operating system. > It maybe a Linux's program which transplanted to Windows. We have been > still analysising the basic principle in it. Spread principle: > When running , the program will select 2 IP section in random and > connect the target host's port on 445 to get networking package. Once > the target machine's administrator's password is null or in the list > which included in this file , the program will copy itself to its > system. > Backdoor: > The virus uses the regular system managerial tool--VCN(edition is > 3.3.3.9) as its backdoor, and installs it to the target computer's > operating system. Though some technical disposals, the icon will not > appear when VNC is running. Because the VNC cannot connect the computer > when the machine is locked, this function is limited. User can do: > The user with NT/2K OS must set a strong password of admin at first, > then use AntiyPort http://www.antiy.net/download/antiyports.exe > or other process managerial tools to kill the process named > dvldr32.exe.After doing this, user must delete all files appeared in the > above table, and then restart your computer. > > The special kill tool & the forwarded response message: > Harbin Institute of Technology & Antiy United Cert Group will go on > paying our attentions on the developing state of affairs. And we will > release the in-depth analysis report. We will also release two copies > (both the Chinese and the English ones) of the special kill tool at > about 21:40 Beijing Time (the Mar. 8th, 2003 ) On the Mar.9th, 2003 of > the Beijing Time, the anti-virus database will be updated. > after that,you can download Antiy Ghostbusters datebase file here > http://www.antiy.net/update/ex.gbl > you can overwrite same file in Antiy Ghostbusters install path(default > is :\Program Files\Antiy Labs\Antiy Ghostbusters) after that you can > check this worm by Antiy Ghostbusters. more information of Antiy > ghostbusters http://www.antiy.net/ghostbusters password list of this > worm > .data:0040A038 dd offset aAdmin ; "admin" > .data:0040A03C dd offset aAdmin_0 ; "Admin" > .data:0040A040 dd offset aPassword ; "password" > .data:0040A044 dd offset aPassword_0 ; "Password" > .data:0040A048 dd offset a1 ; "1" > .data:0040A04C dd offset a12 ; "12" > .data:0040A050 dd offset a123 ; "123" > .data:0040A054 dd offset a1234 ; "1234" > .data:0040A058 dd offset a12345 ; "12345" > .data:0040A05C dd offset a123456 ; "123456" > .data:0040A060 dd offset a1234567 ; "1234567" > .data:0040A064 dd offset a12345678 ; "12345678" > .data:0040A068 dd offset a123456789 ; "123456789" > .data:0040A06C dd offset a654321 ; "654321" > .data:0040A070 dd offset a54321 ; "54321" > .data:0040A074 dd offset a111 ; "111" > .data:0040A078 dd offset a000000 ; "000000" > .data:0040A07C dd offset a00000000 ; "00000000" > .data:0040A080 dd offset a11111111 ; "11111111" > .data:0040A084 dd offset a88888888 ; "88888888" > .data:0040A088 dd offset aPass ; "pass" > .data:0040A08C dd offset aPasswd ; "passwd" > .data:0040A090 dd offset aDatabase ; "database" > .data:0040A094 dd offset aAbcd ; "abcd" > .data:0040A098 dd offset aAbc123 ; "abc123" > .data:0040A09C dd offset aOracle ; "oracle" > .data:0040A0A0 dd offset aSybase ; "sybase" > .data:0040A0A4 dd offset a123qwe ; "123qwe" > .data:0040A0A8 dd offset aServer ; "server" > .data:0040A0AC dd offset aComputer ; "computer" > .data:0040A0B0 dd offset aInternet ; "Internet" > .data:0040A0B4 dd offset aSuper ; "super" > .data:0040A0B8 dd offset a123asd ; "123asd" > .data:0040A0BC dd offset aIhavenopass ; "ihavenopass" > .data:0040A0C0 dd offset aGodblessyou ; "godblessyou" > .data:0040A0C4 dd offset aEnable ; "enable" > .data:0040A0C8 dd offset aXp ; "xp" > .data:0040A0CC dd offset a2002 ; "2002" > .data:0040A0D0 dd offset a2003 ; "2003" > .data:0040A0D4 dd offset a2600 ; "2600" > .data:0040A0D8 dd offset a0 ; "0" > .data:0040A0DC dd offset a110 ; "110" > .data:0040A0E0 dd offset a111111 ; "111111" > .data:0040A0E4 dd offset a121212 ; "121212" > .data:0040A0E8 dd offset a123123 ; "123123" > .data:0040A0EC dd offset a1234qwer ; "1234qwer" > .data:0040A0F0 dd offset a123abc ; "123abc" > .data:0040A0F4 dd offset a007 ; "007" > .data:0040A0F8 dd offset aAlpha ; "alpha" > .data:0040A0FC dd offset aPatrick ; "patrick" > .data:0040A100 dd offset aPat ; "pat" > .data:0040A104 dd offset aAdministrator ; > "administrator" > .data:0040A108 dd offset aRoot ; "root" > .data:0040A10C dd offset aSex ; "sex" > .data:0040A110 dd offset aGod ; "god" > .data:0040A114 dd offset aFoobar ; "foobar" > .data:0040A118 dd offset aA ; "a" > .data:0040A11C dd offset aAaa ; "aaa" > .data:0040A120 dd offset aAbc ; "abc" > .data:0040A124 dd offset aTest ; "test" > .data:0040A128 dd offset aTest123 ; "test123" > .data:0040A12C dd offset aTemp ; "temp" > .data:0040A130 dd offset aTemp123 ; "temp123" > .data:0040A134 dd offset aWin ; "win" > .data:0040A138 dd offset aPc ; "pc" > .data:0040A13C dd offset aAsdf ; "asdf" > .data:0040A140 dd offset aSecret ; "secret" > .data:0040A144 dd offset aQwer ; "qwer" > .data:0040A148 dd offset aYxcv ; "yxcv" > .data:0040A14C dd offset aZxcv ; "zxcv" > .data:0040A150 dd offset aHome ; "home" > .data:0040A154 dd offset aXxx ; "xxx" > .data:0040A158 dd offset aOwner ; "owner" > .data:0040A15C dd offset aLogin ; "login" > .data:0040A160 dd offset aLogin_0 ; "Login" > .data:0040A164 dd offset aPwd ; "pwd" > .data:0040A168 dd offset aPass ; "pass" > .data:0040A16C dd offset aLove ; "love" > .data:0040A170 dd offset aMypc ; "mypc" > .data:0040A174 dd offset aMypc123 ; "mypc123" > .data:0040A178 dd offset aAdmin123 ; "admin123" > .data:0040A17C dd offset aPw123 ; "pw123" > .data:0040A180 dd offset aMypass ; "mypass" > .data:0040A184 dd offset aMypass123 ; "mypass123" > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > Cheers > Danny > Network Security Engineer > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0 > > iQA/AwUBPmtq5X8l+vsju1DoEQIZmwCg7F5vKjse9BflYT3Sw17R1LQKKnEAni7t > jS6k4Rdb8OUM0+JAhijF+Tzg > =xPgF > -----END PGP SIGNATURE----- > > _______________________________________________ > list mailing list > [EMAIL PROTECTED] > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
