Re: mIRC Zombie, port 445

From: Tino Didriksen (td@projectjj.dk)
Date: 01/22/03

  • Next message: Sami Rautiainen: "Re: mIRC Zombie, port 445" 
    From: "Tino Didriksen" <td@projectjj.dk>
To: <incidents@securityfocus.com>
Date: Wed, 22 Jan 2003 18:22:29 +0100

    All files are now available seperately in:
    http://irc.projectjj.dk/files.exe.dir/
    Or as a zip:
    http://irc.projectjj.dk/files.exe.dir/files.exe.dir.zip

    A word of warning, though, since running taskmngr.exe (mIRC) will make it autoinstall itself also.

    -- Tino Didriksen / Project JJ

    ----- Original Message -----
    From: "Danny" <Danny@drexel.edu>
    To: "'Tino Didriksen'" <sfo@projectjj.dk>
    Sent: Wednesday, January 22, 2003 5:49 PM
    Subject: RE: mIRC Zombie, port 445

    Tino, could you possibly post the mirc.ini (nt32.ini) on the web someplace, or zip up all the files and supply a URL. I don't have a test machine available at the moment so I don't want to run the exe to get them :) thanks in advance.

    Cheers
    Danny
    Network Security Engineer
    Drexel University

    Digital ID Print: 874f 1b77 470f 0b10 126e d8d2 c3a3 d52a 24ab 73c3
    PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0
    PGP Key: http://akasha.irt.drexel.edu/danny.asc

    |>-----Original Message-----
    |>From: Tino Didriksen [mailto:sfo@projectjj.dk]
    |>Sent: Saturday, January 18, 2003 9:04 PM
    |>To: incidents@securityfocus.com
    |>Subject: mIRC Zombie, port 445
    |>
    |>
    |>
    |>I have observed a zombie/trojan on a zombie IRC network that apparently
    |>infects vulnerable computers through port 445.
    |>
    |>There are constantly about 980 zombies performing netblock wide scans for
    |>IPs with port 445 vulnerable.
    |>
    |>A copy of the Zombie in it's original form:
    |>URL: http://irc.projectjj.dk/Files.exe.zombie
    |>Needs to be renamed to files.exe, though.
    |>DO NOT RUN THIS FILE BEFORE READING THROUGH!
    |>
    |>When run, it will create C:\winnt\INF\other regardless of %windir% (an
    |>obvious mistake from the creator), but the BAT files in the dir does
    |>indicate it makes the zombie run at boot.
    |>
    |>Anyways, these files are created for sure:
    |>C:\winnt\INF\other\hide.exe
    |>C:\winnt\INF\other\mdm.exe
    |>C:\winnt\INF\other\psexec.exe
    |>C:\winnt\INF\other\taskmngr.exe
    |>C:\winnt\INF\other\nt32.ini
    |>C:\winnt\INF\other\remote.ini
    |>C:\winnt\INF\other\secureme
    |>C:\winnt\INF\other\win32.mrc
    |>C:\winnt\INF\other\BACKUP.BAT
    |>C:\winnt\INF\other\seced.bat
    |>C:\winnt\INF\other\start.bat
    |>
    |>- hide.exe is used by start.bat to effectively cloak that it's installing
    |>itself.
    |>- mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite
    |>innocent otherwise.
    |>- psexec.exe seems to be a remote tool...unknown...
    |>- taskmngr.exe is in reality mIRC v5.70, an IRC client.
    |>- nt32.ini, remote.ini, win32.mrc are all mIRC INI/script files.
    |>- secureme appears to be INI sections for making it run at boot...
    |>- The BATs are minor utils.
    |>
    |>When activated, it uses mIRC (taskmngr.exe) to connect to an IRC server:
    |>Server: bots.bounceme.net
    |>Port: 7000
    |>Channel: #Nova
    |>It will generate a random name.
    |>
    |>And then it waits for the master to activate it.
    |>
    |>The network is limited to 990 clients, but it is nearly always full, and
    |>since people go on/off, then I figure several thousand computers are
    |>infected.
    |>
    |>Sample from the log:
    |><OURW40101> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»--
    |><OURW40101> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445]
    |><XZGW53604> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»--
    |><XZGW53604> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445]
    |><XJNH54935> [Found 18.232.0.71]: Attempting to Infect
    |><XJNH54935> [Found 18.232.0.84]: Attempting to Infect
    |><XJNH54935> [Found 18.232.0.86]: Attempting to Infect
    |><XJNH54935> [Found 18.232.0.91]: Attempting to Infect
    |>...etc...
    |>
    |>Well, hope this is of any help. First time I'm posting here...
    |>
    |>-- Tino Didriksen / projectjj.dk
    |>
    |>--------------------------------------------------------------------------
    |>--
    |>This list is provided by the SecurityFocus ARIS analyzer service.
    |>For more information on this free incident handling, management
    |>and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • RE: mIRC Zombie, port 445
      ... winnt/system32 dir to execute commands. ... Subject: mIRC Zombie, port 445 ...
      (Incidents)
    • RE: mIRC Zombie, port 445
      ... is another netbios port used by windows 2000 and up. ... A copy of the Zombie in it's original form: ... taskmngr.exe is in reality mIRC v5.70, ... : Attempting to Infect ...
      (Incidents)
    • RE: IRC questions!! (off topic)
      ... /msg tom register ... Subject: IRC questions!! ... the mIRC pc.. ... enter "irc.freenode.net " as server. ...
      (Fedora)
    • RE: IRC questions!! (off topic)
      ... /msg tom register ... Subject: IRC questions!! ... the mIRC pc.. ... enter "irc.freenode.net " as server. ...
      (comp.lang.python)
    • mIRC Zombie, port 445
      ... I have observed a zombie/trojan on a zombie IRC network that apparently ... IPs with port 445 vulnerable. ... : Attempting to Infect ...
      (Incidents)