Re: possible new irc worm

From: Axel Pettinger (api_at_epost.de)
Date: 06/28/03

Next message: Dave Laird: "Re: Anyone else seeing a spike in SSHd scans?"

Previous message: Paolo Monti: "Re: possible new irc worm"
In reply to: ZSisic: "possible new irc worm"
Next in thread: Chris Ess: "Re: possible new irc worm"
Reply: Chris Ess: "Re: possible new irc worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 28 Jun 2003 23:23:25 +0200
To: ZSisic <ZSisic@noahtek.com>, incidents@securityfocus.com

ZSisic wrote:
>
> Hello everybody,
>
> As of today, we started noticing spamming bots or drones on our IRC
> network. They enter channels, scan for users, exit and spam users with
> following messages:
>
> <kyzclvqfc> EEEEEEETHHHOOOM! MINDJAIL!! HE IS TRAPPED!! GET HIM OUT!
> http://61.48.32.73:3030/mindjail.zip
>
>
>
> <pwdujizao> Ever heard of a thing called mindjail? Check it:
> http://61.106.85.184:3030/mindjail.zip
>
>
>
> Did anybody else notice this behavior? It seems to be a new work. I
> searched on Google for "mindjail", but my search did not return
> anything.

"mindjail.zip" contains a HTML file, "mindjail.html", which drops and
executes "javax.sun.base.exe" (MD5: 286b884697dffd5a535295dcf5a4c6ea) on
vulnerable systems - see "Self-Executing HTML: Internet Explorer 5.5 and
6.0 Part II", <http://www.securityfocus.com/archive/1/313174>, for more
information about the vulnerability.

"javax.sun.base.exe" is an upx'ed SdBot variant. It tries to connect to
"hk.zxy0.com" [64.156.241.176].

The most anti virus scanners fail to detect the exploit code and the
backdoor trojan. But a few scanners report the following:

[MINDJAIL.HTML]

    Dialogue Science DrWebWCL : Trojan.SelfExecHtml
    GeCAD RAVAV : HTML/CodeBaseExec*
    Kaspersky Lab KAVDOS32 : TrojanDropper.JS.Mimail.b
    Symantec NAV CE VSCAND : Trojan.Sefex

[JAVAX.SUN.BASE.EXE]

GeCAD RAVAV : Backdoor:IRC/SdBot
Kaspersky Lab KAVDOS32 : Backdoor.SdBot.gen

Regards,
Axel Pettinger

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Dave Laird: "Re: Anyone else seeing a spike in SSHd scans?"

Previous message: Paolo Monti: "Re: possible new irc worm"
In reply to: ZSisic: "possible new irc worm"
Next in thread: Chris Ess: "Re: possible new irc worm"
Reply: Chris Ess: "Re: possible new irc worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]