mIRC Zombie, port 445
From: Tino Didriksen (sfo@projectjj.dk)
Date: 01/19/03
- Previous message: Axel Beckert: "Re: Strange Apache logs - maybe DDOS?"
- Next in thread: pj@esec.dk: "Re: mIRC Zombie, port 445"
- Maybe reply: pj@esec.dk: "Re: mIRC Zombie, port 445"
- Reply: Jeff Bollinger: "Re: mIRC Zombie, port 445"
- Reply: Michael LaSalvia: "RE: mIRC Zombie, port 445"
- Maybe reply: Tino Didriksen: "Re: mIRC Zombie, port 445"
- Maybe reply: Sami Rautiainen: "Re: mIRC Zombie, port 445"
- Reply: Andreas Str|m: "Re: mIRC Zombie, port 445"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 19 Jan 2003 02:03:38 -0000 From: Tino Didriksen <sfo@projectjj.dk> To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is)
I have observed a zombie/trojan on a zombie IRC network that apparently
infects vulnerable computers through port 445.
There are constantly about 980 zombies performing netblock wide scans for
IPs with port 445 vulnerable.
A copy of the Zombie in it's original form:
URL: http://irc.projectjj.dk/Files.exe.zombie
Needs to be renamed to files.exe, though.
DO NOT RUN THIS FILE BEFORE READING THROUGH!
When run, it will create C:\winnt\INF\other regardless of %windir% (an
obvious mistake from the creator), but the BAT files in the dir does
indicate it makes the zombie run at boot.
Anyways, these files are created for sure:
C:\winnt\INF\other\hide.exe
C:\winnt\INF\other\mdm.exe
C:\winnt\INF\other\psexec.exe
C:\winnt\INF\other\taskmngr.exe
C:\winnt\INF\other\nt32.ini
C:\winnt\INF\other\remote.ini
C:\winnt\INF\other\secureme
C:\winnt\INF\other\win32.mrc
C:\winnt\INF\other\BACKUP.BAT
C:\winnt\INF\other\seced.bat
C:\winnt\INF\other\start.bat
- hide.exe is used by start.bat to effectively cloak that it's installing
itself.
- mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite
innocent otherwise.
- psexec.exe seems to be a remote tool...unknown...
- taskmngr.exe is in reality mIRC v5.70, an IRC client.
- nt32.ini, remote.ini, win32.mrc are all mIRC INI/script files.
- secureme appears to be INI sections for making it run at boot...
- The BATs are minor utils.
When activated, it uses mIRC (taskmngr.exe) to connect to an IRC server:
Server: bots.bounceme.net
Port: 7000
Channel: #Nova
It will generate a random name.
And then it waits for the master to activate it.
The network is limited to 990 clients, but it is nearly always full, and
since people go on/off, then I figure several thousand computers are
infected.
Sample from the log:
<OURW40101> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»--
<OURW40101> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445]
<XZGW53604> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»--
<XZGW53604> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445]
<XJNH54935> [Found 18.232.0.71]: Attempting to Infect
<XJNH54935> [Found 18.232.0.84]: Attempting to Infect
<XJNH54935> [Found 18.232.0.86]: Attempting to Infect
<XJNH54935> [Found 18.232.0.91]: Attempting to Infect
...etc...
Well, hope this is of any help. First time I'm posting here...
-- Tino Didriksen / projectjj.dk
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: John Pugh: "Re: Hacked web server"
- Previous message: Axel Beckert: "Re: Strange Apache logs - maybe DDOS?"
- Next in thread: pj@esec.dk: "Re: mIRC Zombie, port 445"
- Maybe reply: pj@esec.dk: "Re: mIRC Zombie, port 445"
- Reply: Jeff Bollinger: "Re: mIRC Zombie, port 445"
- Reply: Michael LaSalvia: "RE: mIRC Zombie, port 445"
- Maybe reply: Tino Didriksen: "Re: mIRC Zombie, port 445"
- Maybe reply: Sami Rautiainen: "Re: mIRC Zombie, port 445"
- Reply: Andreas Str|m: "Re: mIRC Zombie, port 445"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
