lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c8644aaa0508300627575eb583@mail.gmail.com>
Date: Tue Aug 30 14:27:48 2005
From: something.anonymous at gmail.com (Something Anonymous)
Subject: No one else seeing the new MS05-039 worm yet?

does is listen on port5000 to? 2 attempts we seen come from machines
nmap'd below - wonder if its what you talking about - we think they
being used as proxy to jump from

-sa
"Who you tryin' to get crazy with ese? Don't you know I'm loco?"

--------------------------------------------------------------------------------------------

(The 1653 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
80/tcp   filtered http
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
1025/tcp open     NFS-or-IIS
5000/tcp open     UPnP
6346/tcp open     gnutella
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro RC1+ through final release
TCP Sequence Prediction: Class=random positive increments
                         Difficulty=13485 (Worthy challenge)
IPID Sequence Generation: Busy server or unknown class

Nmap finished: 1 IP address (1 host up) scanned in 479.660 seconds
               Raw packets sent: 16 (960B) | Rcvd: 10 (558B)

--------------------------------------------------------------------------------------------

(The 1654 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
1025/tcp filtered NFS-or-IIS
5000/tcp open     UPnP
6346/tcp open     gnutella
Device type: firewall
Running: Symantec Solaris 8
OS details: Symantec Enterprise Firewall v7.0.4 (on Solaris 8)
OS Fingerprint:
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=N)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=20%IPLEN=38%RIPTL=148%RIPCK=E%UCK=F%ULEN=134%DAT=E)


Nmap finished: 1 IP address (1 host up) scanned in 40.168 seconds
               Raw packets sent: 1892 (76.4KB) | Rcvd: 1765 (81.3KB)

--------------------------------------------------------------------------------------------


On 8/30/05, Vic Vandal <vvandal@...l.com> wrote:
> This has been going around since early Monday afternoon.  Symantec
> and other AV vendors have had code since then, and no details STILL.
> 
> I guess one can call it the Katrina worm until something better comes
> along.
> 
> Details:
> - Exploits MS05-039, but also MS04-011 and MS03-026.
> - Scans on port 5000 and 135.
> - On workstations opens up range of listening ports above 1024,
> visible with "netstat -a".
> - Creates 40K svc.exe and several randomly named LARGE .exe files
> in: C:\WINNT directory.
> - Sticks a long line of hosts resolving to broadcast address in:
> C:\WINNT\System32\Drivers\etc in hosts file.
> - Adds reg key(s) under:
> HKLM\Software\Microsoft\Windows\CurrentVersion\Run
> which are those random .exe file names mentioned above.
> - May create svc.exe and exe.tmp reg keys under:
> HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\(machine key)\
> FilesNamedMRU (may be unrelated, not generally found on infected box).
> - Prevents killing processes via Task Manager (all processes backed by
> gray color, clicking individual processes does nothing).
> - One can use other utilities to kill running malware processes.
> - Symantec may report as Bobax.Z@mm and/or W32.HLLW.Nebiwo.
> 
> Cleanup:
> - Backup registry.
> - Delete malware-related reg keys as noted.
> - Delete malware-related files.
> - Re-check registry, as executables may enter new values before all
> cleanup actions complete.
> - Edit hosts file, removing added data and saving afterward.
> - Empty Recycle Bin.
> - Patch infected machine.
> - Reboot.
> - Verify that symptoms are gone.
> 
> I've not had time to decompile code to dig out other details, but
> cleanup routine seems sufficient for most part.  Have had working
> routine since early afternoon, and expected details from vendors
> long before now.
> 
> Peace,
> Vic
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ