hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Worm?
GovernmentSecurity.org > System Security > Trojan & Virus Errata
Nexcess
Feb 21 2004, 08:39 PM
This was captured through my honeypot, its the data sent to 3127 since I cant believe people are still scanning for doom i wondered if it might be a worm.
Anyways here's the hex data sent to my honeypot

CODE


000000 | 85 13 3C 9E A2 4D 5A 90 00 03 00 00 00 04 00 00 | ..<..MZ.........
000010 | 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 | .............@..
000020 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000040 | 00 D0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 | .............!..
000050 | 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 | L.!This program
000060 | 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E | cannot be run in
000070 | 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 |  DOS mode....$..
000080 | 00 00 00 00 00 B5 2E 24 6F F1 4F 4A 3C F1 4F 4A | .......$o.OJ<.OJ
000090 | 3C F1 4F 4A 3C 0B 6B 0A 3C F3 4F 4A 3C 0B 6C 53 | <.OJ<.k.<.OJ<.lS
0000A0 | 3C F8 4F 4A 3C F1 4F 4B 3C DE 4F 4A 3C 0B 6B 56 | <.OJ<.OK<.OJ<.kV
0000B0 | 3C F0 4F 4A 3C 0B 6B 77 3C F0 4F 4A 3C 52 69 63 | <.OJ<.kw<.OJ<Ric
0000C0 | 68 F1 4F 4A 3C 00 00 00 00 00 00 00 00 00 00 00 | h.OJ<...........
0000D0 | 00 00 00 00 00 50 45 00 00 4C 01 03 00 12 4A 16 | .....PE..L....J.
0000E0 | 40 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 07 | @...............
0000F0 | 00 00 90 00 00 00 10 00 00 00 50 00 00 00 E7 00 | ..........P.....
000100 | 00 00 60 00 00 00 F0 00 00 00 00 40 00 00 10 00 | ..`........@....
000110 | 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 | ................
000120 | 00 00 00 00 00 00 00 01 00 00 10 00 00 00 00 00 | ................
000130 | 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 | ................
000140 | 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 | ................
000150 | 00 00 00 00 00 00 F0 00 00 04 01 00 00 00 00 00 | ................
000160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0001A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0001B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0001C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 | .............UPX
0001D0 | 30 00 00 00 00 00 50 00 00 00 10 00 00 00 00 00 | 0.....P.........
0001E0 | 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0001F0 | 00 80 00 00 E0 55 50 58 31 00 00 00 00 00 90 00 | .....UPX1.......
000200 | 00 00 60 00 00 00 8A 00 00 00 04 00 00 00 00 00 | ..`.............
000210 | 00 00 00 00 00 00 00 00 00 40 00 00 E0 55 50 58 | .........@...UPX
000220 | 32 00 00 00 00 00 10 00 00 00 F0 00 00 00 02 00 | 2...............
000230 | 00 00 8E 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000240 | 00 40 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 | .@..............
000250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0002A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0002B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0002C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0002D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0002E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0002F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0003A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0003B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0003C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0003D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0003E0 | 31 2E 32 34 00 55 50 58 21 0C 09 02 09 F9 DE A8 | 1.24.UPX!.......
0003F0 | 6E B5 5C BA 83 98 C3 00 00 FA 86 00 00 00 A8 00 | n.\.............



Kid with too much free time or evil worm?
Flowby
Feb 21 2004, 08:53 PM
It coud be both you never know but you can see from report that somebody was trying to send you an exsecutable!!!!! wink.gif
sPiKie
Feb 21 2004, 09:32 PM
Yop that Kid tried to MyDoom exploit you wink.gif So you can just say, he tried to send you a windows executable and used the MyDoom.A Upload\Exec, made by me or made by kralor..... Kinda fun that kiddies use this tool, me personally used it too secure connections..
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.