RE: [Full-Disclosure] Virus/Trojan trying to connect external:445 and 220.127.116.11.6667
From: Todd Towles (toddtowles_at_brookshires.com)
To: <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org> Date: Fri, 22 Oct 2004 07:42:11 -0500
Sounds like a IRC trojan that is trying to spread via network shares
(maybe weak passwords). 6667 is the IRC port, so it looks like it needs
that for command and control.
Can you get a copy of it?
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org] On Behalf Of
> Murat Bicer
> Sent: Friday, October 22, 2004 3:39 AM
> To: email@example.com; firstname.lastname@example.org
> Subject: [Full-Disclosure] Virus/Trojan trying to connect
> external:445 and 18.104.22.168.6667
> Hi All,
> I am seeing some network traffic for some windows host trying
> to contact random remote hosts port 445 and these hosts also
> try to connect 22.214.171.124.6667
> Is this some kind of an IRC bot/trojan?
> Anybody aware of it?
> We cannot find anything with the virus scanner.
> This virus is very chatty, and keeping the network very busy.
> Any suggestions?
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure - We believe in it.