Re: Worm1800.exe on UnderNet?

From: Kelly Brown (kellyb@sd.us.am.ericsson.se)
Date: 06/21/02 

Date: Thu, 20 Jun 2002 15:59:01 -0700 (PDT)
From: Kelly Brown <kellyb@sd.us.am.ericsson.se>
To: cw <cw@fidei.co.uk>

Did you look at the website. They straight out say...

This Site was designed to help infected IRC users to find proper
information, the author does not accept any liability for any damage, loss
of data or loss of service caused by the use or misuse of this site. Use
at your own risk.

I don't know how you can misuse a website designed to infect people...

Anyway it looks like somebody connected with nohack.net may have something
to do with it. If you are want to follow up you may want to email
webteam@nohack.net as they are referenced in the web page source
code. Maybe they can get the web site removed... I doubt it but you
never know.

Kelly Brown
Unix System Administrator
Ericsson CDMA Systems

On Thu, 20 Jun 2002, cw wrote:

> Hi there folks,
> Twice in the past hour I have been messaged by two separate people on
> UnderNet.
>
> The message goes:
> :!Notice!: A Recent Port Scan on your Computer reveals that Port 1800
> is in open state. This usually means that you have been infected with
> an IRC Worm Virus. Please download the cleaner at:
> http://www.No-Hack.Us/Fixes/Worm1800.exe to remove the virus from
> your system. If you do not comply with this rule within 30 minutes,
> our client monitor will ban you from this network. -Thanks For
> Understanding. UNDERNet Exploit Team
>
> The nicks have both been Under-XXX (where XXX is a different set of
> numbers).
>
> For one, I know that port 1800 is not open however the file
> Worm1800.exe does not show up anything when scanned.
>
> Both of the users that messaged me were on pacbell.net adsl
>
> The domain no-hack.us was only registered 6 days ago.
>
> I don't have the spare time or computer to have a further look into
> what this file actually does, has anyone come across this yet and
> know what it does or is anyone willing to investigate?
> --
> O- cw, cw@fidei.co.uk on 20/06/2002
> "Part man, part monkey. Baby that's me"
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: [Full-Disclosure] [VirusTotal] Scan result (fwd)
    ... Unless for example the website would use your ... submission to infect others:-) ... self-replicating code, you most likely end up sending it out to the ... So for the question how to handle possibly dangerous code ...
    (Full-Disclosure)
  • Re: All these news-article links.... OT
    ... regular posters. ... There are new virii now that infect your computer by simply viewing a website. ... I read that even MSNBC and other big names on the net have code that will now infect your computer if you simply look at their website. ... Surfing the web has become very risky business now. ...
    (alt.support.diabetes)
  • Re: All these news-article links.... OT
    ... regular posters. ... virii now that infect your computer by simply viewing a website. ... MSNBC and other big names on the net have code that will now infect your ... infected and you need to download their software. ...
    (alt.support.diabetes)
  • Re: [Full-Disclosure] [VirusTotal] Scan result (fwd)
    ... >>Unless for example the website would use your ... >>submission to infect others ... >self-replicating code, you most likely end up sending it out to the ... >So for the question how to handle possibly dangerous code ...
    (Full-Disclosure)