RE: [Full-Disclosure] Virus/Trojan trying to connect external:445 and 212.175.149.149.6667

From: Todd Towles (toddtowles_at_brookshires.com)
Date: 10/22/04

  • Next message: Dragos Ruiu: "Re: [Full-Disclosure] Owned by an iPod"
    To: <m@bicer.org>, <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
    Date: Fri, 22 Oct 2004 07:42:11 -0500
    
    

    Sounds like a IRC trojan that is trying to spread via network shares
    (maybe weak passwords). 6667 is the IRC port, so it looks like it needs
    that for command and control.

    Can you get a copy of it?

    > -----Original Message-----
    > From: full-disclosure-admin@lists.netsys.com
    > [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
    > Murat Bicer
    > Sent: Friday, October 22, 2004 3:39 AM
    > To: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com
    > Subject: [Full-Disclosure] Virus/Trojan trying to connect
    > external:445 and 212.175.149.149.6667
    >
    > Hi All,
    >
    > I am seeing some network traffic for some windows host trying
    > to contact random remote hosts port 445 and these hosts also
    > try to connect 212.175.149.149.6667
    >
    > Is this some kind of an IRC bot/trojan?
    >
    > Anybody aware of it?
    >
    > We cannot find anything with the virus scanner.
    > This virus is very chatty, and keeping the network very busy.
    >
    > Any suggestions?
    >
    > Best,
    > Murat
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Dragos Ruiu: "Re: [Full-Disclosure] Owned by an iPod"

    Relevant Pages

    • Re: The Future of the Usenet (was: Re: Good-Bye rr.com)
      ... If killfiles worked, the Usenet would be ... Without trolls and spammers, the Usenet could be the most ... to a means for making the world a smaller place, very much like IRC, ... on our network as well, albeit that there is nothing for them to leech. ...
      (comp.os.linux.misc)
    • Re: Possible virus?
      ... The traffic that you are seeing are going to an IRC network, ... >inbound tcp src outside:69.50.163.130/6667 dst ...
      (Security-Basics)
    • Re: checking if my system is compromised
      ... We are contacting you in order to inform the Abuse Department of your ISP that the following IPs have been compromised by unknown persons: ... Abusers have been caught on IRC using ... Network, please reply to our reporting e-mail, so this way we can ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
      (Debian-User)
    • Re: Port 6667
      ... > I have been scanning my network for a while and found IRC ... > Port 6667 on two machines. ... It sounds like you have an IRC client running. ... If you did not install it ...
      (microsoft.public.security)
    • Re: [Full-Disclosure] Why is IRC still around?
      ... > consulting business, but besides that... ... > 3) A wee bit of software piracy occurs? ... > 4) That many organized DoS attacks through PC zombies are initiated through IRC? ... effect of the purpose of the underlying network ...
      (Full-Disclosure)