RE: [unisog] odd traffic on port 80 from win 98 system

["Darlene Steeper" <dsteeper () uwo ca>]

You have a worm called: frethem

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FRETHEM
.M&VSect=T

-----Original Message-----
From: Russell Fulton [mailto:r.fulton () auckland ac nz]
Sent: Friday, August 02, 2002 5:46 AM
To: incidents () securityfocus com; unisog () sans org
Cc: auscert () auscert org au
Subject: [unisog] odd traffic on port 80 from win 98 system


I have posted this to both the incidents and unisog lists -- apologies
those of you who are on both...

Over the last 5 days a windows 98 system belonging to an academic has
been probing, what at first look appearently random addresses on tcp 80.
The probes are two about 3 - 4 addresses a minute -- much lower than any
worms I've seen before.  They look like connections from the regular
stack, source port increments, 4 or 5 SYNs sent if no response from
destination. I say 'appearently random address' because on closer
examination most of the addresses are from cable or DSL providers around
the world -- about what you would expect for a p2p app.

The machine is owned by a responsible, technically competent, senior
academic (he taught me first year Physics over 30 years ago ;-). It has
up to date NAV software with up to date definitions which has not
detected anything untoward.  When I first alerted them that something
odd was going on they install a program that monitored network activity
and it said that 'taskbar.exe' was accessing the network at which point
I started tcpdump to grab all traffic from the machine that was leaving
the network.

Here is what I found:
17:13:07.654448 geb.phy.auckland.ac.nz.1566 >
n002.n202-178-254-0-24.ethome.net.www: P 1:118(117) ack 1 win 8760 (DF)
0x0000   4500 009d ed04 4000 7e06 8d45 82d8 3683        E.....@.~..E..6.
0x0010   cab2 fe02 061e 0050 000f f95a ee38 fec8        .......P...Z.8..
0x0020   5018 2238 8b90 0000 4745 5420 2f62 2e63        P."8....GET./b.c
0x0030   6769 3f61 6c74 2631 3734 3634 3239 3637        gi?alt&174642967
0x0040   2630 3030 3030 3030 3030 3030 3020 4854        &000000000000.HT
0x0050   5450                                           TP

this is the packet that is sent to any addresses that respond on port
80.  The URIs are all identical except for the first number after the
alt, which change but all of the small sample I looked at start with
17 and have 9 digits.

Anyone recognise this?

Google produced several hits on /b.cgi but nothing that seemed relevant.

Ah, one more detail:  From our argus logs I have established that the
traffic started at 12:35 on the 22nd (UTC + 1200) with no incoming
traffic for the previous hour.  So far as the user can remember they
were clearing email at the time.  Pity I did not get on to this sooner
he might have remembered more if 5 days had not elapsed, sigh...

The machine is rebooted every day so what ever it is survives reboots.

This looks like a P2P app but I don't recall one that works over http.

Come Monday.  I'll grab the best MS experties I can get and go and
investigate the machine itself.

--
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

'It aint necessarily so'  - Gershwin

PS why do things like this break at 5pm on Friday?


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com