lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000001c5a343$94059fa0$c864a8c0@dopehead>
Date: Wed Aug 17 16:45:40 2005
From: jan at boyakasha.dk (Jan Nielsen)
Subject: Disney Down?

Yes i noticed that, what i am wondering is if the msg sent is to
indicate that the local user password is weak in some way ? does anyone
know this ntscan util ? is it maybe a part of the RBOT design or
something, I have run it thorough IDA 4.8 dissasembler and the function
imported correspond to the ones I have seen, so I don't think there are
any unpleasant surprises hidden withen the program, but still it would
be nice to know if this somehow is compromising some credentials on the
customers installed base ?

Jan


-----Original Message-----
From: John Smith [mailto:vun.list@...il.com] 
Sent: 17. august 2005 17:41
To: Jan Nielsen
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Disney Down?

I joined said IRC channel, and the topic is ".ntscan 100 120 -a -b" so 
it appears to be joining the channel and getting paramaters for this 
"ntscan program"

--M

Jan Nielsen wrote:
> I was at a customer today with this problem, initially their network
was
> acting up and some ppl, couldn't logon to the servers in the morning. 
> We found the file "kilo.exe" on some machines that apparently had not
> been patched, one thing I noticed while running this file on a vmware
xp
> sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128
> and logs in to it with password : 146751dhzx
> Then it sets a few commands :
> 
> JOIN #100+
> MODE #100+ +nts
> 
> Which for an RBOT virus in itself is nothing special, but I noticed
one
> thing in my sniffer trace that got me a bit worried, this is a packet
> sent from the infected pc to the irc server :
> 
> 0000   00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00
..S+....).g...E.
> 0010   00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc
.S..@....F..d.=.
> 0020   d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18  .1...
"..[....P.
> 0030   3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31  ?1....PRIVMSG
#1
> 0040   30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a  00+
:[.NTScan.]:
> 0050   20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d
Weakpassword...
> 0060   0a                                               .
> 
> Anyone know what this could be ?
> 
> Regards
> Jan
> 
> -----Original Message-----
> From: sk3tch@...tch.net [mailto:sk3tch@...tch.net] 
> Sent: 17. august 2005 00:54
> To: cdwilde@...il.com; full-disclosure@...ts.grok.org.uk
> Subject: RE: [Full-disclosure] Disney Down?
> 
> MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)
> 
> Trend Micro: WORM_RBOT.CBQ -
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
> T.CBQ
> Symantec: Win32.Zotob.E
> McAfee: exploit-dcomrpc
> Kaspersky: Net-Worm.Win32.Small.d
> 
> This is what is on CNN right now.
> 
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk on behalf of David
Wilde
> Sent: Tue 8/16/2005 5:13 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] Disney Down?
>  
> A buddy of mine who's fiance works for Disney just told me that they
> have sent everyone home for the day.  When I say everyone I mean,
> Disney Land, Disney World, Disney Corporate, etc...  He's not sure
> what the virus is called but it's apparently very nasty.  Anyone have
> any more info on this?
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ