lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040412122922.13181.qmail@search.securityfocus.com>
Date: 12 Apr 2004 12:29:22 -0000
From: Alex Gen <alexei.h@...ay.se>
To: bugtraq@...urityfocus.com
Subject: new strange worm




http://www.mikenoels.net/matrix.swf/index1.html (do _not_ open.)

Found a new sort of worm, at least I didn't find any information about this on any securitysite;

Creates a registry entry \HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603 and adds a file called "umcss.exe" to C:\windows(winnt)\system32. The exececutable spawns a connection to a irc-server called apollo.uplinkearth.com at port 6667. I'm asuming it's sitting in a channel there to create a DoS at a specific date or to give the owner of that irc-server problems.

it also adds a line in mirc.ini telling it to load a script called custom1.mrc, which adds a "on join" to remote, sending several messages to channel visitors, including one with the URL above.

regards,
Alex Gen

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ