Educause Security Discussion mailing list archives
Strange virus/worm/trojan on 135/445
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Wed, 24 Nov 2004 00:23:42 -0500
Last week I posted about a strange "infection" on a few dozen local systems that were probing random addresses in the same /8 subnet as the victim host on tcp/135. Last Friday we started to see similar behavior from other systems except probing tcp/445. Here is the relevant data collected thus far: * Probes are issued only to one port or the other. No other significant traffic is yet observed on any port (other than the occasional e-mail or web query that appears to be normal traffic), but we haven't done exhaustive captures yet. The capture is essentially worthless as the probes are just TCP SYNs which are dropped by our egress filter before they hit the net at large. We are attempting to setup a honeypot. * Infected machines we have examined are listening on tcp/113 (ident/auth) and return a random user ID string, e.g.:
Authentication Service : USERID : UNIX : ytgybfoyaaq
* Infected machines are also listening on udp/69 (tftp). It appears to be a 'normal' tftp server but may very well not be the case. * Similar tcp/135 behavior and listening ports have been observed at UNC-Charlotte (off-list reply to me last week) but they had a few exceptions to the listening ports (could have been different malware) in a few cases. * Infected machines we have scanned are mostly Win2K. No XP seen at this point. * Field tech's note from checking ActivePorts:
Winole is there in System32, however, Active Ports is showing one called wigsep.exe doing the work. Tons of local ports in the 1000 and 4000 range. 113, 135 and udp 69 all by wigsep. Wigsep is referenced in the registry under run as well. Searching windows turns up nothing for wigsep but does, of course, see winole.
* Another note:
I was installing a printer on a pc a while ago. Just for fun, I looked at the registry and noticed it had a gibberish exe in startup. I ran active ports, sure enough, it was scanning 445.
* Another note -- found startup registry entries for 'xskrvj' along with a .txt file that appears to be a stack overflow, perhaps generated when the infection occurred:
Below are the contents of a file that was in wiint\system32 on the machine scanning 445. It was called xskrvj.exe-up.txt. I opened it in Notepad and saved it as a word doc and moved it to my Mac and pasted in this email....please let me know if this was a bad idea! Anyway, I deleted the file and the references to xskrvj in the registry. It came back, but this file has not reappeared. Maybe because the pc is not connected. Interesting that it came back with the same name. __SEH__ 0xc00000fd at 0x74fd2215 CS :0x0000001B SS :0x00000023 DS :0x00000023 ES :0x00000023 FS :0x00000038 GS :0x00000000 EAX:0x028A310C EDX:0x00000000 ECX:0x0014C2C0 ESP:0x028A2F8C EBP:0x028A3098 EIP:0x74FD2215 ESI:0x00000000 EDI:0x0013EE70 -- backtrace -- 0x74fd2215:[msafd.dll]:(001:00001215) 0x750317a2:[ws2_32.dll]:(001:000007a2) 0x75031f37:[ws2_32.dll]:(001:00000f37) 0x00415fb8:[xskrvj.exe]:(001:00014fb8) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) 0x0041645a:[xskrvj.exe]:(001:0001545a) --stack-- 0x028a2f8c: 0x00000000 0x00000000 0x00000000 0x00000000 0x028a2f9c: 0x00000000 0x00000000 0x00000000 0x00000000 0x028a2fac: 0x00000000 0x00000000 0x00000000 0x00000000 0x028a2fbc: 0x00000000 0x00000000 0x00000000 0x00000000 0x028a2fcc: 0x00000000 0x00000000 0x00000000 0x00000000 0x028a2fdc: 0x00000000 0x00000000 0x00000000 0x00000000 0x028a2fec: 0x00000000 0x00000000 0x00000000 0x00000000 0x028a2ffc: 0x00000000 0x00000000 0x00000000 0x00000000
* And finally:
Ok, this time there is a winole.exe in system 32....it wasn't there before but after rebooting it appeared. This is on the one scanning 445. I will see if it is trying to scan others
* The machines have been scanned with the last Symantec AV Corporate with today's sigs and it comes up empty. We've also found nothing using McAfee Stinger, Spybot, AdAware, HijackThis, etc. I'm going to grab the rest of the security team tomorrow and try to do some escalated forensics on a few of the machines. Meanwhile, if you have seen or run into this beast, or this sounds familiar, please drop me a note. Thanks in advance, Jeff Kell System/Network Security Information Technology Division University of Tennessee at Chattanooga ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Strange virus/worm/trojan on 135/445 Jeff Kell (Nov 23)
- <Possible follow-ups>
- Re: Strange virus/worm/trojan on 135/445 Wayne J. Hauber (Nov 24)
- Re: Strange virus/worm/trojan on 135/445 Steven Alexander (Nov 24)