new strange worm

From: Alex Gen (alexei.h_at_spray.se)
Date: 04/12/04

  • Next message: Arman Nayyeri: "Microsoft Internet Explorer BMP file memory DoS vulnerability"
    Date: 12 Apr 2004 12:29:22 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    http://www.mikenoels.net/matrix.swf/index1.html (do _not_ open.)

    Found a new sort of worm, at least I didn't find any information about this on any securitysite;

    Creates a registry entry \HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 and adds a file called "umcss.exe" to C:\windows(winnt)\system32. The exececutable spawns a connection to a irc-server called apollo.uplinkearth.com at port 6667. I'm asuming it's sitting in a channel there to create a DoS at a specific date or to give the owner of that irc-server problems.

    it also adds a line in mirc.ini telling it to load a script called custom1.mrc, which adds a "on join" to remote, sending several messages to channel visitors, including one with the URL above.

    regards,
    Alex Gen


  • Next message: Arman Nayyeri: "Microsoft Internet Explorer BMP file memory DoS vulnerability"

    Relevant Pages

    • Re: Crash in accounting code: encode_long(), due to bad rusage data?
      ... I'm not sure it's worth being able to encode negative numbers based on the current set of measurements, but it's probably worth having some sort of encoding for an error case. ... As Jeff has mentioned in his e-mail, this is almost certainly a usage stat that requires upgrading to 64-bit, as 32 bits for that stat is so small as to be entirely unuseful :-). ...
      (freebsd-current)
    • guess encoding?
      ... it is in some sort of encoding. ... I can run xmllint on it, and get an ascii text ... transliteration of non-ASCII characters)? ...
      (comp.os.linux.misc)
    • Why you must install a firewall NOW
      ... the recent worm that exploited the buffer overflow in Windows's ... wasn't the sort of e-mail-borne pest that antivirus ... software is good at catching. ...
      (microsoft.public.security)
    • Re: Character conversion
      ... > Is there some sort of component, or easy way of going about this? ... The easy way would be to decode the input encoding to Unicode, ... a for loop, for decoding, as a single output value may "eat" several ... Don't try to use a single index to point into the ...
      (comp.lang.pascal.delphi.misc)
    • Re: Ground moles
      ... I can get some sort of worm that has poison in it from the pest control place but they are very expensive. ...
      (rec.gardens.edible)