lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: ge at egotistical.reprehensible.net (Gadi Evron)
Subject: [Fwd: [TH-research] Bagle remote uninstall]

Good morning.
The following forwarded message is from Joe Stewart to TH-Research (The 
Trojan Horses Research Mailing List).
In it Joe explains of a way for admins (or anybody really) to easily and 
massively remove Bagle infections from their networks.
There are other ways to do this, but this is the most simple that I saw 
thus far.

Thanks again to Joe for all his work.
Drop him a thank-you note if this helps you, he's a good guy!

	Gadi Evron

The Trojan Horses Research Mailing List - http://ecompute.org/th-list


From: Joe Stewart <jstewart@...hq.com>
To: TH-Research
Subject: [TH-research] Bagle remote uninstall
Date: Tue, 20 Jan 2004 17:19:41 -0500

Mail from Joe Stewart <jstewart@...hq.com>

If you can't wait till January 28, Bagle has a remote uninstall command
which can be sent over port 6777, the port also used to upload the
second stage.

For instance, using perl and netcat, you could send the uninstall
command with the one-liner below:
perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
| nc infected_host_IP 6777

When the command bytes above are received by an infected host, the virus
will exit and delete its executable (using a batch script after the
fact). The registry keys are not removed.

-Joe

-- 
       Gadi Evron,
       ge@...uxbox.org.

The Trojan Horses Research mailing list - http://ecompute.org/th-list

My resume (Hebrew) - http://www.math.org.il/resume.rtf

PGP key for ge@...uxbox.org -
http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
Note: this key is used mainly for files and attachments, I sign email 
messages using:
http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc


Powered by blists - more mailing lists