Security Incidents mailing list archives
Re: new scanner tool or blind luck?
From: Randy Mclean <rmclean () NATDOOR COM>
Date: Thu, 14 Sep 2000 15:59:15 -0500
I haven't seen this one in action yet, but I think this URL(trend-micro's tech details) will have your answer some of your questions. http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_QAZ.A&VSect=T At 03:22 PM 9/14/2000 -0400, George Bakos wrote:
Agreed. network.vbs attempts to map to the remote c: share and would, as it is calling native netbios functions, do as you said. The very helpful admins at a particularly helpful ISP's NOC isolated two machines that were responsible for this traffic. Each of them came up positive for QAZ and network.vbs. Has anyone got any poop on QAZ scanning capabilities and propagation mechanism? Another trace to chew on: 10:15:48.528735 bad.guy.net.138.3674 > my.net.162.139: S 501372074:501372074(0) win 8192 (ttl 52, id 44153) 10:15:51.457527 bad.guy.net.138.3674 > my.net.162.139: S 501372074:501372074(0) win 8192 (ttl 52, id 44665) 10:15:55.529851 bad.guy.net.138.3675 > my.net.163.139: S 501379076:501379076(0) win 8192 (ttl 52, id 44921) 10:15:57.456302 bad.guy.net.138.3674 > my.net.162.139: S 501372074:501372074(0) win 8192 (ttl 52, id 45433) 10:15:58.454895 bad.guy.net.138.3675 > my.net.163.139: S 501379076:501379076(0) win 8192 (ttl 52, id 45689) 10:16:04.454613 bad.guy.net.138.3675 > my.net.163.139: S 501379076:501379076(0) win 8192 (ttl 52, id 46201) 10:16:09.453368 bad.guy.net.138.3674 > my.net.162.139: S 501372074:501372074(0) win 8192 (ttl 52, id 46713) 10:16:16.451132 bad.guy.net.138.3675 > my.net.163.139: S 501379076:501379076(0) win 8192 (ttl 52, id 47737) 10:16:44.598461 bad.guy.net.138.3682 > my.net.170.139: S 501428089:501428089(0) win 8192 (ttl 52, id 52089) 10:16:47.514230 bad.guy.net.138.3682 > my.net.170.139: S 501428089:501428089(0) win 8192 (ttl 52, id 52601) 10:16:53.512321 bad.guy.net.138.3682 > my.net.170.139: S 501428089:501428089(0) win 8192 (ttl 52, id 53369) 10:17:05.509700 bad.guy.net.138.3682 > my.net.170.139: S 501428089:501428089(0) win 8192 (ttl 52, id 54905) 10:19:04.676916 bad.guy.net.138.3702 > my.net.190.139: S 501568128:501568128(0) win 8192 (ttl 52, id 7290) 10:19:05.151120 bad.guy.net.138.3702 > my.net.190.139: S 501568128:501568128(0) win 8192 (ttl 52, id 7546) 10:19:05.652165 bad.guy.net.138.3702 > my.net.190.139: S 501568128:501568128(0) win 8192 (ttl 52, id 7802) 10:19:06.152070 bad.guy.net.138.3702 > my.net.190.139: S 501568128:501568128(0) win 8192 (ttl 52, id 8058) On 14 Sep 00, at 8:37, Randy Mclean wrote: > network.vbs will normally have a netbios port for both the source and > destination ports. If I remember correctly the code in the vbs file > calls the netbios functions with UNC's, thus limiting its source port > to netbios(example of UNC \\55.55.55.55\c$). This looks like a scan > using a scanner or a different trojan that doesn't use the windows > netbios functions to find windows shares. My 2 cents ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "If you can't make it good, make it look good." - Bill Gates George Bakos alpinista () bigfoot com
-- Randy Mclean Security/Network Administrator rmclean () natdoor com
Current thread:
- new scanner tool or blind luck? T. Esting (Sep 13)
- Re: new scanner tool or blind luck? Thierry (Sep 13)
- Re: new scanner tool or blind luck? Ken Armstrong (Sep 14)
- Re: new scanner tool or blind luck? Thomas Molina (Sep 14)
- Re: new scanner tool or blind luck? Harlan S. Barney, Jr. (Sep 14)
- Re: new scanner tool or blind luck? Josh Brandt (Sep 14)
- Re: new scanner tool or blind luck? George Bakos (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- Re: new scanner tool or blind luck? George Bakos (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- <Possible follow-ups>
- Re: new scanner tool or blind luck? T. Esting (Sep 14)