[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040122040952.J532-100000@prophet.alphaque.com>
Date: Thu, 22 Jan 2004 04:10:25 +0800 (MYT)
From: Dinesh Nair <dinesh@...haque.com>
To: Gadi Evron <ge@...tistical.reprehensible.net>
Cc: bugtraq@...urityfocus.com, <full-disclosure@...ts.netsys.com>
Subject: Re: [Fwd: [TH-research] Bagle remote uninstall]
would we then have to deal with someone running this en masse across all
windows boxen on the internet, under the notion that he's helping someone
out ? :)
--dinesh
On Wed, 21 Jan 2004, Gadi Evron wrote:
> Good morning.
> The following forwarded message is from Joe Stewart to TH-Research (The
> Trojan Horses Research Mailing List).
> In it Joe explains of a way for admins (or anybody really) to easily and
> massively remove Bagle infections from their networks.
> There are other ways to do this, but this is the most simple that I saw
> thus far.
>
> Thanks again to Joe for all his work.
> Drop him a thank-you note if this helps you, he's a good guy!
>
> Gadi Evron
>
> The Trojan Horses Research Mailing List - http://ecompute.org/th-list
>
>
> From: Joe Stewart <jstewart@...hq.com>
> To: TH-Research
> Subject: [TH-research] Bagle remote uninstall
> Date: Tue, 20 Jan 2004 17:19:41 -0500
>
> Mail from Joe Stewart <jstewart@...hq.com>
>
> If you can't wait till January 28, Bagle has a remote uninstall command
> which can be sent over port 6777, the port also used to upload the
> second stage.
>
> For instance, using perl and netcat, you could send the uninstall
> command with the one-liner below:
> perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
> | nc infected_host_IP 6777
>
> When the command bytes above are received by an infected host, the virus
> will exit and delete its executable (using a batch script after the
> fact). The registry keys are not removed.
>
> -Joe
>
> --
> Gadi Evron,
> ge@...uxbox.org.
>
> The Trojan Horses Research mailing list - http://ecompute.org/th-list
>
> My resume (Hebrew) - http://www.math.org.il/resume.rtf
>
> PGP key for ge@...uxbox.org -
> http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
> Note: this key is used mainly for files and attachments, I sign email
> messages using:
> http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc
>
Regards, /\_/\ "All dogs go to heaven."
dinesh@...haque.com (0 0) http://www.alphaque.com/
+==========================----oOO--(_)--OOo----==========================+
| for a in past present future; do |
| for b in clients employers associates relatives neighbours pets; do |
| echo "The opinions here in no way reflect the opinions of my $a $b." |
| done; done |
+=========================================================================+
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists