new strange worm

From: Alex Gen (alexei.h_at_spray.se)
Date: 04/12/04

  • Next message: Arman Nayyeri: "Microsoft Internet Explorer BMP file memory DoS vulnerability"
    Date: 12 Apr 2004 12:29:22 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    http://www.mikenoels.net/matrix.swf/index1.html (do _not_ open.)

    Found a new sort of worm, at least I didn't find any information about this on any securitysite;

    Creates a registry entry \HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 and adds a file called "umcss.exe" to C:\windows(winnt)\system32. The exececutable spawns a connection to a irc-server called apollo.uplinkearth.com at port 6667. I'm asuming it's sitting in a channel there to create a DoS at a specific date or to give the owner of that irc-server problems.

    it also adds a line in mirc.ini telling it to load a script called custom1.mrc, which adds a "on join" to remote, sending several messages to channel visitors, including one with the URL above.

    regards,
    Alex Gen


  • Next message: Arman Nayyeri: "Microsoft Internet Explorer BMP file memory DoS vulnerability"