Re: mIRC Zombie, port 445

From: Sami Rautiainen (Sami.Rautiainen@F-Secure.com)
Date: 01/22/03

  • Next message: Andreas Str|m: "Re: mIRC Zombie, port 445"
    Date: Wed, 22 Jan 2003 17:15:39 +0200
    From: Sami Rautiainen <Sami.Rautiainen@F-Secure.com>
    To: incidents@securityfocus.com
    
    

    Hello,

    Tino Didriksen <sfo@projectjj.dk> wrote at 19 Jan 2003 02:03:38 -0000:

    >I have observed a zombie/trojan on a zombie IRC network that apparently
    >infects vulnerable computers through port 445.

    The backdoor uses Sysinternals' psexec tool to run itself in the destination
    host. The connection is attempted several times, with a predefined list of
    username and password combinations.

    Further information is available in our description at:
            http://www.f-secure.com/v-descs/novabot.shtml

    F-Secure Anti-Virus detects the backdoor with the current updates.

    Regards,
            Sami

    -- 
    Sami Rautiainen                         F-Secure Corporation
    Senior Virus Researcher                 Anti-Virus Research Team
    tel. +358 9 2520 5656                   http://www.F-Secure.com
                 Securing the Mobile, Distributed Enterprise
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    


    Relevant Pages

    • Re: ssh and ids
      ... Don't assume the backdoor is going to be listening ... makes an outbound connection to a central server that lets the ... attacker issue commands on the compromised host. ... looking at a connection as a whole versus the ...
      (Focus-IDS)
    • Re: internet connection
      ... U have a virus in your computer (a backdoor or o trojan) and try to send ... A program who has "automatic update" enabled. ... > when i log on to windows xp my dial-up connection ...
      (microsoft.public.windowsxp.security_admin)
    • Infected IP addresses
      ... That backdoor makes them all too easy to be ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, ...
      (Incidents)
    • Re: Share a hotel wireless internet connection?
      ... >to backdoor through your connection. ... Horseradish! ... Putting a router on this kind of connection is no more ... wrong than putting a router on your cable modem at home. ...
      (microsoft.public.windowsxp.general)