lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040122040952.J532-100000@prophet.alphaque.com>
Date: Thu, 22 Jan 2004 04:10:25 +0800 (MYT)
From: Dinesh Nair <dinesh@...haque.com>
To: Gadi Evron <ge@...tistical.reprehensible.net>
Cc: bugtraq@...urityfocus.com, <full-disclosure@...ts.netsys.com>
Subject: Re: [Fwd: [TH-research] Bagle remote uninstall]



would we then have to deal with someone running this en masse across all
windows boxen on the internet, under the notion that he's helping someone
out ? :)

--dinesh

On Wed, 21 Jan 2004, Gadi Evron wrote:

> Good morning.
> The following forwarded message is from Joe Stewart to TH-Research (The
> Trojan Horses Research Mailing List).
> In it Joe explains of a way for admins (or anybody really) to easily and
> massively remove Bagle infections from their networks.
> There are other ways to do this, but this is the most simple that I saw
> thus far.
>
> Thanks again to Joe for all his work.
> Drop him a thank-you note if this helps you, he's a good guy!
>
> 	Gadi Evron
>
> The Trojan Horses Research Mailing List - http://ecompute.org/th-list
>
>
> From: Joe Stewart <jstewart@...hq.com>
> To: TH-Research
> Subject: [TH-research] Bagle remote uninstall
> Date: Tue, 20 Jan 2004 17:19:41 -0500
>
> Mail from Joe Stewart <jstewart@...hq.com>
>
> If you can't wait till January 28, Bagle has a remote uninstall command
> which can be sent over port 6777, the port also used to upload the
> second stage.
>
> For instance, using perl and netcat, you could send the uninstall
> command with the one-liner below:
> perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
> | nc infected_host_IP 6777
>
> When the command bytes above are received by an infected host, the virus
> will exit and delete its executable (using a batch script after the
> fact). The registry keys are not removed.
>
> -Joe
>
> --
>        Gadi Evron,
>        ge@...uxbox.org.
>
> The Trojan Horses Research mailing list - http://ecompute.org/th-list
>
> My resume (Hebrew) - http://www.math.org.il/resume.rtf
>
> PGP key for ge@...uxbox.org -
> http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
> Note: this key is used mainly for files and attachments, I sign email
> messages using:
> http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc
>

Regards,                           /\_/\   "All dogs go to heaven."
dinesh@...haque.com                (0 0)    http://www.alphaque.com/
+==========================----oOO--(_)--OOo----==========================+
| for a in past present future; do                                        |
|   for b in clients employers associates relatives neighbours pets; do   |
|   echo "The opinions here in no way reflect the opinions of my $a $b."  |
| done; done                                                              |
+=========================================================================+

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ