Strange virus/worm/trojan on 135/445

[Jeff Kell <jeff-kell () UTC EDU>]

Last week I posted about a strange "infection" on a few dozen local
systems that were probing random addresses in the same /8 subnet as the
victim host on tcp/135.  Last Friday we started to see similar behavior
from other systems except probing tcp/445.  Here is the relevant data
collected thus far:

* Probes are issued only to one port or the other.  No other significant
traffic is yet observed on any port (other than the occasional e-mail or
web query that appears to be normal traffic), but we haven't done
exhaustive captures yet.  The capture is essentially worthless as the
probes are just TCP SYNs which are dropped by our egress filter before
they hit the net at large.  We are attempting to setup a honeypot.

* Infected machines we have examined are listening on tcp/113
(ident/auth) and return a random user ID string, e.g.:

> Authentication Service  : USERID : UNIX : ytgybfoyaaq

* Infected machines are also listening on udp/69 (tftp).  It appears to
be a 'normal' tftp server but may very well not be the case.

* Similar tcp/135 behavior and listening ports have been observed at
UNC-Charlotte (off-list reply to me last week) but they had a few
exceptions to the listening ports (could have been different malware) in
a few cases.

* Infected machines we have scanned are mostly Win2K.  No XP seen at
this point.

* Field tech's note from checking ActivePorts:

> Winole is there in System32, however, Active Ports is showing one called
> wigsep.exe doing the work. Tons of local ports in the 1000 and 4000
> range. 113, 135 and udp 69 all by wigsep. Wigsep is referenced in the
> registry under run as well. Searching windows turns up nothing for
> wigsep but does, of course, see winole.
* Another note:

> I was installing a printer on a pc a while ago. Just for fun, I looked at
> the registry and noticed it had a gibberish exe in startup. I ran active
> ports, sure enough, it was scanning 445.
* Another note -- found startup registry entries for 'xskrvj' along with
a .txt file that appears to be a stack overflow, perhaps generated when
the infection occurred:

> Below are the contents of a file that was in wiint\system32 on the machine
> scanning 445. It was called xskrvj.exe-up.txt. I opened it in Notepad and
> saved it as a word doc and moved it to my Mac and pasted in this
> email....please let me know if this was a bad idea! Anyway, I deleted the
> file and the references to xskrvj in the registry. It came back, but this
> file has not reappeared. Maybe because the pc is not connected. Interesting
> that it came back with the same name.
>
> __SEH__ 0xc00000fd at 0x74fd2215
> CS :0x0000001B SS :0x00000023 DS :0x00000023
> ES :0x00000023 FS :0x00000038 GS :0x00000000
> EAX:0x028A310C EDX:0x00000000 ECX:0x0014C2C0
> ESP:0x028A2F8C EBP:0x028A3098 EIP:0x74FD2215
> ESI:0x00000000 EDI:0x0013EE70
> -- backtrace --
>  0x74fd2215:[msafd.dll]:(001:00001215)
>  0x750317a2:[ws2_32.dll]:(001:000007a2)
>  0x75031f37:[ws2_32.dll]:(001:00000f37)
>  0x00415fb8:[xskrvj.exe]:(001:00014fb8)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
>  0x0041645a:[xskrvj.exe]:(001:0001545a)
> --stack--
> 0x028a2f8c: 0x00000000 0x00000000 0x00000000 0x00000000
> 0x028a2f9c: 0x00000000 0x00000000 0x00000000 0x00000000
> 0x028a2fac: 0x00000000 0x00000000 0x00000000 0x00000000
> 0x028a2fbc: 0x00000000 0x00000000 0x00000000 0x00000000
> 0x028a2fcc: 0x00000000 0x00000000 0x00000000 0x00000000
> 0x028a2fdc: 0x00000000 0x00000000 0x00000000 0x00000000
> 0x028a2fec: 0x00000000 0x00000000 0x00000000 0x00000000
> 0x028a2ffc: 0x00000000 0x00000000 0x00000000 0x00000000
* And finally:

> Ok, this time there is a winole.exe in system 32....it wasn't there before
> but after rebooting it appeared. This is on the one scanning 445. I will see
> if it is trying to scan others
* The machines have been scanned with the last Symantec AV Corporate
with today's sigs and it comes up empty.  We've also found nothing using
McAfee Stinger, Spybot, AdAware, HijackThis, etc.

I'm going to grab the rest of the security team tomorrow and try to do
some escalated forensics on a few of the machines.  Meanwhile, if you
have seen or run into this beast, or this sounds familiar, please drop
me a note.

Thanks in advance,

Jeff Kell
System/Network Security
Information Technology Division
University of Tennessee at Chattanooga

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.