Full Disclosure mailing list archives
W32/Welchia, W32/Nachi backdoor?
From: "Barry Irwin" <bvi () lair moria org>
Date: Wed, 20 Aug 2003 17:20:15 +0200
From the AUSCERT announcement
It usually arrives as DLLHOST.EXE (~10,240 bytes) and opens port 707, for
its malicious routines. >Similar to the earlier MSBLAST worm variants, this malware also exploits the RPC DCOM Buffer >Overflow,and instructs target systems to download its copy from the affected system using the TFTP
program [1]
creates a backdoor listening on TCP/707 or some other randomly chosen port
between TCP/666 and >TCP/765 [2] Telnetting to this port seems to disconnected after 1-5 characters have been entered? This doesn't look like TFTP (port 65/tcp&UDP), and the windows tftp client doesn't seem to offer any means of specifying a port to connect to? Is this some kind of password protected backdoor ? Barry [1]http://www.auscert.org.au/render.html?it=3359&cid=1 [2]http://securecomputing.stanford.edu/win-rpc.html -- Barry Irwin bvi () moria org http://lair.moria.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- W32/Welchia, W32/Nachi backdoor? Barry Irwin (Aug 20)
- RE: W32/Welchia, W32/Nachi backdoor? Chris Eagle (Aug 20)
- Re: W32/Welchia, W32/Nachi backdoor? Michael Mueller (Aug 20)