RE: Worm1800.exe on UnderNet?

From: Darren Windham (dwindham@camozzi-usa.com)
Date: 06/20/02


Date: Thu, 20 Jun 2002 15:38:41 -0500
From: "Darren Windham" <dwindham@camozzi-usa.com>
To: "cw" <cw@fidei.co.uk>, <incidents@securityfocus.com>

I tried it on an unplugged machine and norton catches it as an IRC backdoor virus.

-----Original Message-----
From: cw [mailto:cw@fidei.co.uk]
Sent: Thursday, June 20, 2002 2:26 PM
To: incidents@securityfocus.com
Subject: Worm1800.exe on UnderNet?

Hi there folks,
Twice in the past hour I have been messaged by two separate people on
UnderNet.

The message goes:
:!Notice!: A Recent Port Scan on your Computer reveals that Port 1800
is in open state. This usually means that you have been infected with
an IRC Worm Virus. Please download the cleaner at:
http://www.No-Hack.Us/Fixes/Worm1800.exe to remove the virus from
your system. If you do not comply with this rule within 30 minutes,
our client monitor will ban you from this network. -Thanks For
Understanding. UNDERNet Exploit Team

The nicks have both been Under-XXX (where XXX is a different set of
numbers).

For one, I know that port 1800 is not open however the file
Worm1800.exe does not show up anything when scanned.

Both of the users that messaged me were on pacbell.net adsl

The domain no-hack.us was only registered 6 days ago.

I don't have the spare time or computer to have a further look into
what this file actually does, has anyone come across this yet and
know what it does or is anyone willing to investigate?

-- 
O- cw, cw@fidei.co.uk on 20/06/2002
"Part man, part monkey. Baby that's me"

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com