Re: possible new irc worm

From: Chris Ess (azarin_at_tokimi.net)
Date: 06/28/03

  • Next message: jlewis_at_lewis.org: "speaking of rootkits" 
    Date: Sat, 28 Jun 2003 01:52:16 -0400 (EDT)
To: rewt@eghetto.ca

    > I attempted to grab that package in order to take a look at it, but the
    > link seems to be dead. On top of that, the IP seems to be dead. Did you
    > get a chance to grab the archive earlier ? If so, please send it to me, no
    > need to post it to the list unless others want it.
    >
    > I'm going on a drive tommorow, and it would be nice to have something to
    > occupy myself with :)

    I have a copy that someone else managed to snag. Jonathan, I'll send you
    a copy in another email. If anyone else wants it, please feel free to
    ask.

    What I've come up with so far is this:

    The vector appears to be a zip file that contains an HTML file. The HTML
    file has, at the beginning of it, a base64-encoded executable of some
    sort. Unfortunately, I lack the resources to analyze it further.
    (Anyone have a good x86 disassembler or decompiler they'd like to
    suggest?) The text of the document is output through javascript.
    Presumably it uses this to execute the embedded executable. I'm told this
    only works in IE but haven't seen fit to experiment myself. (Is this
    behavior expected or is it a bug?)

    I have been told that as of 8:30 BST (GMT+0100), the worms appeared to
    have stopped. I would guess that this is some sort of timing routine
    built into the worm. Whether or not it'll restart again remains to be
    seen, but I haven't seen any activity for a while.

    Sincerely,

    Chris Ess
    System Administrator / CDTT (Certified Duct Tape Technician)

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: jlewis_at_lewis.org: "speaking of rootkits"

    Relevant Pages

    • Re: possible new irc worm
      ... I attempted to grab that package in order to take a look at it, ... the IP seems to be dead. ... world's premier technical IT security event! ...
      (Incidents)
    • DataType TABLE questions
      ... Then I grab the records making sure I did not grab the ones in ... that I must execute a query that is generated by parameters. ... doesn't work with data type TABLE's. ... It always says I must declare the ...
      (microsoft.public.sqlserver.server)
    • Re: Executed California Geezer Needed Two Shots to Stop Heart
      ... > It does seem inefficient, at best, that they would revive him so they ... > could execute him. ... Dead is dead. ... >>> before the injection? ...
      (alt.true-crime)
    • Re: Executed California Geezer Needed Two Shots to Stop Heart
      ... >> Nancy Rudins wrote: ... It does seem inefficient, at best, that they would revive him so they ... could execute him. ... Dead is dead. ...
      (alt.true-crime)
    • Re: bliz was saying not enough warriors
      ... The mob is almost dead, ... C> you, he gets to execute range, execute - parried, hmmm, execute - ... a SM run through for some Scarlet Leggings at 38 with no deaths. ...
      (alt.games.warcraft)