[nsp-sec] new storm campagn
Smith, Donald
Donald.Smith at qwest.com
Tue Feb 12 12:14:51 EST 2008
I have run a report there is definitely storm worm type communications going on within the set of IPs Jose provided us.
This version of the storm worm is using URLs with ip addresses in them.
RM=for(1)
{manage_risk(identify_risk(product[i++]))}
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Par Osterberg Medina
> Sent: Tuesday, February 12, 2008 5:50 AM
> To: Jose Nazario
> Cc: nsp-security NSP
> Subject: Re: [nsp-sec] new storm campagn
>
> ----------- nsp-security Confidential --------
>
> Hello Jose,
>
> I will proxy this information to the following ASN;
>
> 39651 | 83.250.1.46 | 31739 | COMHEM-SWEDEN
> Com Hem Sweden
> 1257 | 213.100.19.180 | 3780 | TELE2
> 3301 | 217.211.224.20 | 11856 |
> TELIANET-SWEDEN TeliaNet
> Sweden
> 3301 | 213.65.201.12 | 10908 |
> TELIANET-SWEDEN TeliaNet
> Sweden
> 3301 | 78.69.119.89 | 10136 |
> TELIANET-SWEDEN TeliaNet
> Sweden
> 6830 | 86.101.64.234 | 7524 | UPC UPC Broadband
>
> All the best
> Pär Österberg Medina - Sitic
>
>
> Jose Nazario wrote:
> > ----------- nsp-security Confidential --------
> >
> >
> >
> >
> --------------------------------------------------------------
> ----------
> >
> > new storm campaign, basic website with "valentine.exe"
> meta-refresh and
> > link.
> >
> > sample i analyzed;
> >
> > MD5: 69bc930b30ef8f0bd11de13d5a6458af
> > SHA1: 5d5955402cafd21fcebe45d510d43e7216652065
> > File type: MS Windows PE
> > File size: 128000 bytes
> >
> > peerlist decoded and ASN resolved (ip, asn, port, netname) attached.
> >
> > New Files
> >
> > C:\WINDOWS\system32\diperto.ini
> > C:\WINDOWS\system32\diperto7701-7a5c.sys
> >
> > Open Service Manager - Name: "SCM"
> >
> > Create Service - Name: (diperto7701-7a5c) Display Name:
> > (diperto7701-7a5c) File Name:
> (C:\WINDOWS\system32\diperto7701-7a5c.sys)
> > Control: () Start Type: (SERVICE_AUTO_START)
> >
> > Start Service - Name: (diperto7701-7a5c) Display Name: ()
> File Name: ()
> > Control: () Start Type: ()
> >
> > Load Driver - Name:
> >
> (\Registry\Machine\System\CurrentControlSet\Services\diperto77
> 01-7a5c)
> > File Name: ()
> >
> > heads up ...
> >
> > -------------------------------------------------------------
> > jose nazario, ph.d. <jose at arbor.net>
> > security researcher, office of the CTO, arbor networks
> > v: (734) 821 1427 http://asert.arbornetworks.com/
> >
> >
> >
> --------------------------------------------------------------
> ----------
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security
> > community. Confidentiality is essential for effective
> Internet security counter-measures.
> > _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
More information about the nsp-security
mailing list