new strange worm
From: Alex Gen (alexei.h_at_spray.se)
Date: 04/12/04
- Previous message: Conectiva Updates: "[CLA-2004:837] Conectiva Security Announcement - mod_python"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 12 Apr 2004 12:29:22 -0000 To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
http://www.mikenoels.net/matrix.swf/index1.html (do _not_ open.)
Found a new sort of worm, at least I didn't find any information about this on any securitysite;
Creates a registry entry \HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 and adds a file called "umcss.exe" to C:\windows(winnt)\system32. The exececutable spawns a connection to a irc-server called apollo.uplinkearth.com at port 6667. I'm asuming it's sitting in a channel there to create a DoS at a specific date or to give the owner of that irc-server problems.
it also adds a line in mirc.ini telling it to load a script called custom1.mrc, which adds a "on join" to remote, sending several messages to channel visitors, including one with the URL above.
regards,
Alex Gen
- Previous message: Conectiva Updates: "[CLA-2004:837] Conectiva Security Announcement - mod_python"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
