[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] W32/Welchia, W32/Nachi backdoor?

To: "'Full-Disclosure@Lists.Netsys.Com'" <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?
From: "Barry Irwin" <bvi@lair.moria.org>
Date: Wed, 20 Aug 2003 17:20:15 +0200


From the AUSCERT announcement

>It usually arrives as DLLHOST.EXE (~10,240 bytes) and opens port 707, for
its malicious routines. >Similar to the earlier MSBLAST worm variants, this
malware also exploits the RPC DCOM Buffer >Overflow,and instructs target
systems to download its copy from the affected system using the TFTP
>program [1]

>creates a backdoor listening on TCP/707 or some other randomly chosen port
between TCP/666 and >TCP/765 [2]

Telnetting to this port seems to disconnected after 1-5 characters have been
entered?  This doesn't look like TFTP (port 65/tcp&UDP), and the windows
tftp client doesn't seem to offer any means of specifying a port to connect
to?

Is this some kind of password protected backdoor ?

Barry

[1]http://www.auscert.org.au/render.html?it=3359&cid=1
[2]http://securecomputing.stanford.edu/win-rpc.html
--
Barry Irwin
bvi@moria.org
http://lair.moria.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?
  - From: "Chris Eagle" <cseagle@redshift.com>
- Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?
  - From: malware@t-online.de (Michael Mueller)

Prev by Date: RE: [Full-Disclosure] Administrivia: Testing Emergency Virus Filter..
Next by Date: Re: [Full-Disclosure] Al Qaida claims responsibility for blackout
Prev by thread: [Full-Disclosure] Snorting Nachi
Next by thread: RE: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?
Index(es):
- Date
- Thread