A fine gentleman in New Zealand passed this information along. A nice in-depth analysis. A sign of infection seems to be heavy outbound traffic on 5800 and 5900, which could be useful if you want to stop an outbound flood without null routing the destination network. -----Original Message----- From: Arjen De Landgraaf Sent: Monday, 10 March 2003 12:18 p.m. To: 'Jonathan Claybaugh'; nanog@merit.edu Subject: RE: Port 445 issues (was: Port 80 Issues) E-Secure-IT issued a security alert on Saturday New Zealand Time. Info: This attack is currently intensifying. (See the DShield port 445 graph website at the bottom of this alert for info on increase.) For updates we strongly advise subscribers to activate their alert notifications on the E-Secure-IT folder: "Port 445 Worm info" in location: http://www.e-secure-it.co.nz/dscgi/ds.py/View/Collection-2519 New info on 445 will not be placed in this Virus Alert folder anymore, but only in the new port 445 folder instead. This is done to keep the "virus alerts" free for not 445 related alerts. Analysis (combined info from messages collected in the port 445 folder): Early indication of possible infection: 1. Your infrastrucutre contains server(s) running Windows 2000 or NT 2. Server(s) have (incoming) port 445 open 3. Outgoing ports 5800 and 5900 opened (activated by worm) 4. Server(s) sending large quantities of packets to 445 out with consecutive IP's as destination addresses. 5. Servers contain a Dvldr32.exe executable (responsible for outgoing packets) Other indications(see also file analysis further down this alert): Possible Abnormal files installed: file size dvldr32.exe %windir%/system32(NT/2K)%windir%/system(9x) 745,984 explorer.exe %windir%/fonts 212,992 omnithread_rt.dll %windir%/fonts 57,344 VNCHooks.dll %windir%/fonts 32,768 rundll32.exe %windir%/fonts 29,336 cygwin1.dll %windir%/system32(NT/2K) 944,968 cygwin1.dll %windir%/system(9x) 944,968 C:\WINDOWS\Start Menu\Programs\Startup\inst.exe 684,562 C:\WINNT\All Users\Start Menu\Programs\Startup\inst.exe 684,562 Possible Register changes: The regedit table is modified as follows: REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "TaskMan"="C:\\WINDOWS\\Fonts\\rundll32.exe" "Explorer"="C:\\WINDOWS\\Fonts\\explorer.exe" [HKEY_CURRENT_USER\Software\ORL] [HKEY_CURRENT_USER\Software\ORL\WinVNC3] "SocketConnect"=dword:00000001 "AutoPortSelect"=dword:00000001 "InputsEnabled"=dword:00000001 "LocalInputsDisabled"=dword:00000000 "IdleTimeout"=dword:00000000 "QuerySetting"=dword:00000002 "QueryTimeout"=dword:0000000a "Password"=hex:[here we do some shields] "PollUnderCursor"=dword:00000001 "PollForeground"=dword:00000001 "PollFullScreen"=dword:00000001 "OnlyPollConsole"=dword:00000001 "OnlyPollOnEvent"=dword:00000001 [HKEY_CURRENT_USER\Software\ORL\VNCHooks] [HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs] [HKEY_CURRENT_USER\Software\ORL\VNCHooks\Application_Prefs\EXPLORER.EXE] Dvldr32.exe analysis: Dvldr32.exe is packed by Aspack. This virus, which is written by MS VC6.0, send out amount of packages with the aim to infect the network. This File also include 3 executable files. Two of them are "Psexesvc" and "Remote process lancher". They are command tools which published by Sysinternals Corporation. They don't create to the file system, and been called by the Dvldr32.exe only. Another program is a install package which made by a uncommon install tool. The package include 5 files,3 of them (Explorer.exe,VNCdll32.dll and Omnithread_rt.dll) are networking managerial tools which belong to the corporation AT&T. Rundll32.dll is not the normal one in the Microsoft operating system. It maybe a Linux's program which transplanted to Windows. Spread principle: When running , the program will select 2 IP sections in random and connect the target host's port on 445 to get networking package. Once the target machine's administrator's password is null or in the list following here , the program will copy itself to its system. Passwords tried by worm to enter system: No password "admin" "Admin" "password" "Password" "1" "12" "123" "1234" "12345" "123456" "1234567" "12345678" "123456789" "654321" "54321" "111" "000000" "00000000" ."11111111" "88888888" "pass" "passwd" "database" "abcd" "abc123" "oracle" "sybase" "123qwe" "server" "computer" "Internet" "super" "123asd" "ihavenopass" "godblessyou" "enable" "xp" "2002" "2003" "2600" "0" "110" "111111" "121212" "123123" "1234qwer" "123abc" "007" "alpha" "patrick" "pat" "administrator" "root" "sex" "god" "foobar" "a" "aaa" "abc" "test" "test123" "temp" "temp123" "win" "pc" "asdf" "secret" "qwer" "yxcv" "zxcv" "home" "xxx" "owner" "login" "Login" "pwd" "pass" "love" "mypc" "mypc123" "admin123" "pw123" "mypass" "mypass123" Backdoor: The virus uses the regular system managerial tool VNC(edition is 3.3.3.9) (from AT&T) as its backdoor, and installs it to the target computer's operating system. Though some technical disposals, the icon will not appear when VNC is running. Because the VNC cannot connect the computer when the machine is locked, this function is limited. E-Secure-IT collates all available info around this new port 445 attack, We strongly advise subscribers to activate their alert notifications on the E-Secure-IT folder: "Port 445 Worm info" in location: http://www.e-secure-it.co.nz/dscgi/ds.py/View/Collection-2519 For further info on VNC and TightVNC (Virtual Network Computing) - AT&T, see the E-Secure-IT folder: http://www.e-secure-it.co.nz/dscgi/ds.py/View/Collection-729 Web address of updated graphs: http://isc.incidents.org/port_details.html?port=445 E-Secure-IT Administrator www.e-secure-it.us