| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Aug 17 16:40:53 2005 From: vun.list at gmail.com (John Smith) Subject: Disney Down? I joined said IRC channel, and the topic is ".ntscan 100 120 -a -b" so it appears to be joining the channel and getting paramaters for this "ntscan program" --M Jan Nielsen wrote: > I was at a customer today with this problem, initially their network was > acting up and some ppl, couldn't logon to the servers in the morning. > We found the file "kilo.exe" on some machines that apparently had not > been patched, one thing I noticed while running this file on a vmware xp > sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128 > and logs in to it with password : 146751dhzx > Then it sets a few commands : > > JOIN #100+ > MODE #100+ +nts > > Which for an RBOT virus in itself is nothing special, but I noticed one > thing in my sniffer trace that got me a bit worried, this is a packet > sent from the infected pc to the irc server : > > 0000 00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00 ..S+....).g...E. > 0010 00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc .S..@....F..d.=. > 0020 d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18 .1... "..[....P. > 0030 3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31 ?1....PRIVMSG #1 > 0040 30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a 00+ :[.NTScan.]: > 0050 20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d Weakpassword... > 0060 0a . > > Anyone know what this could be ? > > Regards > Jan > > -----Original Message----- > From: sk3tch@...tch.net [mailto:sk3tch@...tch.net] > Sent: 17. august 2005 00:54 > To: cdwilde@...il.com; full-disclosure@...ts.grok.org.uk > Subject: RE: [Full-disclosure] Disney Down? > > MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe) > > Trend Micro: WORM_RBOT.CBQ - > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO > T.CBQ > Symantec: Win32.Zotob.E > McAfee: exploit-dcomrpc > Kaspersky: Net-Worm.Win32.Small.d > > This is what is on CNN right now. > > -----Original Message----- > From: full-disclosure-bounces@...ts.grok.org.uk on behalf of David Wilde > Sent: Tue 8/16/2005 5:13 PM > To: full-disclosure@...ts.grok.org.uk > Subject: [Full-disclosure] Disney Down? > > A buddy of mine who's fiance works for Disney just told me that they > have sent everyone home for the day. When I say everyone I mean, > Disney Land, Disney World, Disney Corporate, etc... He's not sure > what the virus is called but it's apparently very nasty. Anyone have > any more info on this? > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists