lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000401c5a361$13ecd310$c864a8c0@dopehead>
Date: Wed Aug 17 20:16:18 2005
From: jan at boyakasha.dk (Jan Nielsen)
Subject: Disney Down?

I have been running the virus on my vmware xp sp1 with a software
package on it called Cisco Security Agent, sort of a HIDS package which
I basically have set up to log all system events to
file/api/memory/network functions without blocking them. 

For those who are interested the log is here :
http://www.boyakasha.dk/virusevents.log

Regards
Jan

-----Original Message-----
From: Jan Nielsen [mailto:jan@...akasha.dk] 
Sent: 17. august 2005 17:36
To: 'full-disclosure@...ts.grok.org.uk'
Subject: RE: [Full-disclosure] Disney Down?

I was at a customer today with this problem, initially their network was
acting up and some ppl, couldn't logon to the servers in the morning. 
We found the file "kilo.exe" on some machines that apparently had not
been patched, one thing I noticed while running this file on a vmware xp
sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128
and logs in to it with password : 146751dhzx
Then it sets a few commands :

JOIN #100+
MODE #100+ +nts

Which for an RBOT virus in itself is nothing special, but I noticed one
thing in my sniffer trace that got me a bit worried, this is a packet
sent from the infected pc to the irc server :

0000   00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00  ..S+....).g...E.
0010   00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc  .S..@....F..d.=.
0020   d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18  .1... "..[....P.
0030   3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31  ?1....PRIVMSG #1
0040   30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a  00+ :[.NTScan.]:
0050   20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d   Weakpassword...
0060   0a                                               .

Anyone know what this could be ?

Regards
Jan

-----Original Message-----
From: sk3tch@...tch.net [mailto:sk3tch@...tch.net] 
Sent: 17. august 2005 00:54
To: cdwilde@...il.com; full-disclosure@...ts.grok.org.uk
Subject: RE: [Full-disclosure] Disney Down?

MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)

Trend Micro: WORM_RBOT.CBQ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO
T.CBQ
Symantec: Win32.Zotob.E
McAfee: exploit-dcomrpc
Kaspersky: Net-Worm.Win32.Small.d

This is what is on CNN right now.

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk on behalf of David Wilde
Sent: Tue 8/16/2005 5:13 PM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Disney Down?
 
A buddy of mine who's fiance works for Disney just told me that they
have sent everyone home for the day.  When I say everyone I mean,
Disney Land, Disney World, Disney Corporate, etc...  He's not sure
what the virus is called but it's apparently very nasty.  Anyone have
any more info on this?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ