Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New mydoom variant; ARCserve exploitation has begun... got Port 41523 TCP packets? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New mydoom variant; ARCserve exploitation has begun... got Port 41523 TCP packets?


New MyDoom variant peaked early, then phizzled


It has been reported that a new variation of MyDoom has been spreading on the Internet tonight. Like many of the previous variations of the MyDoom virus, the email appears to come from the ISP of the recipient and contains an executable or zipped attachment. Based on observations by many of the handlers and readers of the ISC, this new variant peaked around 5pm eastern wednesday, and started to get picked up by new anti-virus definitions around 10pm eastern.
Below is an example of the body

######### example ##############
Dear user <insert email address>,

Your email account has been used to send a huge amount of unsolicited
commercial email messages during this week. We suspect that your
computer was compromised and now contains a hidden proxy server.

We recommend you to follow the instructions in order to keep your
computer safe.

Have a nice day,
<insert domain name> support team.
######### /example ##############


An interesting note about this mydoom, bagle, beagle, netsky phenomenon is that there is a such a discrepancy between antivirus companies on naming/identifying these nasties. Granted, IDS vendors have the same issues with naming detects, as do Vulnerability Scanners. Funny thing is that since many of these bugs names have wrapped the alphabet twice, we may now start to append unicode chars to the end of them :-)

Here is a sampling of names submitted by one of our handlers:

AntiVir 6.29.0.16 02.17.2005 Worm/MyDoom.BB

AVG 718 02.17.2005 I-Worm/Mydoom.AP

BitDefender 7.0 02.17.2005 Win32.Mydoom.AQ@mm

ClamAV devel-20050130 02.16.2005 Worm.Mydoom.M-2

DrWeb 4.32b 02.17.2005 Win32.HLLM.MyDoom.54464

eTrust-Iris 7.1.194.0 02.17.2005 Win32/Mydoom.AU!Worm

eTrust-Vet 11.7.0.0 02.17.2005 Win32.Mydoom.AU

Fortinet 2.51 02.17.2005 W32/Mydoom.BB-mm

F-Prot 3.16a 02.17.2005 W32/Mydoom.AY@mm

Kaspersky 4.0.2.24 02.17.2005 Email-Worm.Win32.Mydoom.am

NOD32v2 1.1000 02.16.2005 probably unknown NewHeur_PE virus

Norman 5.70.10 02.17.2005 MyDoom.AQ@mm

Panda 8.02.00 02.17.2005 W32/Mydoom.AO.worm

Sybari 7.5.1314 02.17.2005 I-Worm.MyDoom.AX

For more information on this variant of mydoom, please see:

http://secunia.com/virus_information/15463/mydoom.bb/
http://vil.nai.com/vil/content/v_131856.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.BB
http://www.sarc.com/avcenter/venc/data/w32.mydoom.ax@mm.html
http://www.sophos.com/virusinfo/analyses/w32mydoomo.html

Thanks to the always 31337 handlers: Scott Fendley and Tom Liston for helping out with this one :-)
ARCserve POC exploit has been released, Scanning has begun

Yet another target for the kiddies... there is a published exploit for CA's BrightStor ARCserve Backup buffer overflow and ISC readers are already noticing scans for it on TCP port 41523. (URLs updated by Jim Clausing, previous APAR withdrawn in favor of this new one)

http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO64538&startsearch=1

(Added by Ed Skoudis): More detail can be found here: http://supportconnect.ca.com/sc/solcenter/sol_detail.jsp?aparno=QO64538&os=NT&returninput=0

Port 41523 TCP, got packets?

http://isc.sans.org/port_details.php?port=41523

A number of people have written in with concern over an upswing in TCP port 41523 packets inbound. Has anyone seen any of these packets egressing from your network? ISC Handlers would be very interested in finding the malware (especially if it is different from the published exploit on k-otik) for this traffic. If you have seen this traffic, please save packets in tcpdump format. Also, if you see this traffic communicating inbound (not just SYN probes), we would be interested in seeing this too.

Mike Poor

echo "mikepoorhandlerondutyisageek" | sed -e s/poor/\@/g -e s/isageek/\.com/g -e s/handleronduty/intelguardians/g
Mike

49 Posts
Feb 18th 2005

Sign Up for Free or Log In to start participating in the conversation!