// The packets are small, since I am seeing a large nuber of packets, but // the bit count is low. // 30 second input rate 72679000 bits/sec, 41033 packets/sec // 30 second output rate 29208000 bits/sec, 7687 packets/sec // Input bits per second are a little above normal, but the packet count // would normally be under 10000 not 41000. // // Ideas? This is likely a variant of what I forsee to become the "next big pain", a variant of sdbot, of which McAfee claims there are 4000 variants. I've had to deal with quite a few (and climbing) numbers of infected users of this pain. We use a Packeteer and have listed comps sending outbound 445 garbage and I've found that almost all have been infected by one of the versions of this particular worm. Which of the 4000 versions it is eludes me. This is what I've seen so far. If you look at the machine sending the traffic out, you're likely going to see a smorgasbord of junk in c:\WINDOWS\system32 ... If you view the folder as a list, then sort by date, you're likely to find a huge amount of executables on the machine. As well as logs, TFTP information etc. You can try opening up task manager but it will be useless... So being I'm already getting more and more familiar with this pest, here is what it does: ///// Public Sub AVkiller() On Error Resume Next 'prefix Dim AVmonz As Variant ' varz: Dim Cur As String '---||--- Dim i '---||--- AVmonz = Array("", "AVP Monitor", _ "AntiVir", _ "Vshwin", _ "F-STOPW", _ "F-Secure", _ "vettray", _ "InoculateIT", _ "Norman Virus Control", _ "navpw32", _ "Norton AntiVirus", _ "Iomon98", _ "AVG", _ "NOD32", _ "Dr.Web", _ "Amon", _ "Trend PC-cillin", _ "File Monitor", _ "Registry Monitor", _ "Registry Editor", _ "Task Manager") 'Declaration of AV shitz For i = 1 To 20 'kill'em all... Cur = AVmonz(i) 'convert to string Call TerminateTask(Cur) 'terminate task ;) Next i End Sub ///// Nifty huh? The virus installs itself in the registry under odd names associated with Microsoft for example, so far I've seen it installed in a Run, Run Once folder called Windows Security, Windows Update, etc. There is no removal tool for this and being it renders many virus software useless, you can either have a user reinstall Windows, or you can search the machine for instances of things created on the same date as the serv32.exe program, or one of the other ones it installs. Now... The worm seems to perhaps download 4 other programs I've always seen running in conjuction with it. wupd.exe which masquerades as "Windows Update" ftpd.exe which opens up an ftp server on the infected machine and goes around re-downloaded various other viruses and worms on the infected machine, and one which I believe tries to infect other machines perhaps a-la Blaster worm. Another program opens seems to randomly name viruses and worms once downloaded so for example, wupd.exe will probably turn into something like A032424.exe the next time around, and so on and so forth. So far I've seen students where I am either getting this via file sharing, one program which has been sticking out like a sore thumb is something called ARES. It could be also spreading, again, through some of the katrillion MS vulnerabilies and perhaps even the newly discovered "Drag and Drop" vulnerability. Drag and Drop vulnerabilities http://secunia.com/advisories/12321/ So now there is also the "bling.exe" issue which is the worm that "sniffs out passwords" (http://isc.sans.org/diary.php?date=2004-09-12), this one opens up an irc connection to dump out data to some channel. I will eventually (when I have some time) hexedit some of these to see what it does and perhaps repost more information. For a full view of what the serv32.exe does, please check out the coding at http://www.infiltrated.net/wormcode.txt which list the original URL (site down so it's Google cached) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How can we account for our present situation unless we believe that men high in this government are concerting to deliver us to disaster?" Joseph McCarthy "America's Retreat from Victory"