[Full-Disclosure] [Fwd: [TH-research] Bagle remote uninstall]

From: Gadi Evron (ge_at_egotistical.reprehensible.net)
Date: 01/22/04

  • Next message: Ron DuFresne: "Re: [Full-Disclosure] Who's to blame for malicious code?"
    To: bugtraq@securityfocus.com
    Date: Wed, 21 Jan 2004 16:55:07 -0800
    
    

    Good morning.
    The following forwarded message is from Joe Stewart to TH-Research (The
    Trojan Horses Research Mailing List).
    In it Joe explains of a way for admins (or anybody really) to easily and
    massively remove Bagle infections from their networks.
    There are other ways to do this, but this is the most simple that I saw
    thus far.

    Thanks again to Joe for all his work.
    Drop him a thank-you note if this helps you, he's a good guy!

            Gadi Evron

    The Trojan Horses Research Mailing List - http://ecompute.org/th-list

    From: Joe Stewart <jstewart@lurhq.com>
    To: TH-Research
    Subject: [TH-research] Bagle remote uninstall
    Date: Tue, 20 Jan 2004 17:19:41 -0500

    Mail from Joe Stewart <jstewart@lurhq.com>

    If you can't wait till January 28, Bagle has a remote uninstall command
    which can be sent over port 6777, the port also used to upload the
    second stage.

    For instance, using perl and netcat, you could send the uninstall
    command with the one-liner below:
    perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
    | nc infected_host_IP 6777

    When the command bytes above are received by an infected host, the virus
    will exit and delete its executable (using a batch script after the
    fact). The registry keys are not removed.

    -Joe

    -- 
           Gadi Evron,
           ge@linuxbox.org.
    The Trojan Horses Research mailing list - http://ecompute.org/th-list
    My resume (Hebrew) - http://www.math.org.il/resume.rtf
    PGP key for ge@linuxbox.org -
    http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
    Note: this key is used mainly for files and attachments, I sign email 
    messages using:
    http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Ron DuFresne: "Re: [Full-Disclosure] Who's to blame for malicious code?"

    Relevant Pages