lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040122040952.J532-100000@prophet.alphaque.com> From: dinesh at alphaque.com (Dinesh Nair) Subject: Re: [Fwd: [TH-research] Bagle remote uninstall] would we then have to deal with someone running this en masse across all windows boxen on the internet, under the notion that he's helping someone out ? :) --dinesh On Wed, 21 Jan 2004, Gadi Evron wrote: > Good morning. > The following forwarded message is from Joe Stewart to TH-Research (The > Trojan Horses Research Mailing List). > In it Joe explains of a way for admins (or anybody really) to easily and > massively remove Bagle infections from their networks. > There are other ways to do this, but this is the most simple that I saw > thus far. > > Thanks again to Joe for all his work. > Drop him a thank-you note if this helps you, he's a good guy! > > Gadi Evron > > The Trojan Horses Research Mailing List - http://ecompute.org/th-list > > > From: Joe Stewart <jstewart@...hq.com> > To: TH-Research > Subject: [TH-research] Bagle remote uninstall > Date: Tue, 20 Jan 2004 17:19:41 -0500 > > Mail from Joe Stewart <jstewart@...hq.com> > > If you can't wait till January 28, Bagle has a remote uninstall command > which can be sent over port 6777, the port also used to upload the > second stage. > > For instance, using perl and netcat, you could send the uninstall > command with the one-liner below: > perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \ > | nc infected_host_IP 6777 > > When the command bytes above are received by an infected host, the virus > will exit and delete its executable (using a batch script after the > fact). The registry keys are not removed. > > -Joe > > -- > Gadi Evron, > ge@...uxbox.org. > > The Trojan Horses Research mailing list - http://ecompute.org/th-list > > My resume (Hebrew) - http://www.math.org.il/resume.rtf > > PGP key for ge@...uxbox.org - > http://vapid.reprehensible.net/~ge/Gadi_Evron.asc > Note: this key is used mainly for files and attachments, I sign email > messages using: > http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc > Regards, /\_/\ "All dogs go to heaven." dinesh@...haque.com (0 0) http://www.alphaque.com/ +==========================----oOO--(_)--OOo----==========================+ | for a in past present future; do | | for b in clients employers associates relatives neighbours pets; do | | echo "The opinions here in no way reflect the opinions of my $a $b." | | done; done | +=========================================================================+
Powered by blists - more mailing lists