Re: Internet Wide DOS Attack using IRC

[root () LOCKDOWN NET (Kameron Gasso)]

Very interesting.  I figured this would be on a Warez bot since many Warez
kiddies trust the bots and since the filenames looked a bit suspicious.

I was curious as to how the the author of original post knew the users
were on IRC.

> (stable). My personnal estimation of infected computer it's 15000+.

That's not good.  Many of these infected people probably don't read
BUGTRAQ, and will have no clue.  Unfortunately, there's nothing we can do
without the help of IRC operators and administrators.

> With 500 "clones" they can easily split an irc server with the command
> MOTD :irc.server.net (.do raw command).

Dianora: Thanks for verifying this.  Perhaps this information should be
forwarded to IRC administrators of UnderNet and DALNet.  It would be
a lot easier to get rid of this thing when the operators know who is
infected.

> To see if you are infected do CTRL-ALT-DEL in windows and if you have a
> process called OCE it's the Havoc's trojan :] remove it in your system
> directory usualy c:\windows\system

Is that in a regular task list or a low-level process viewer?  Programs
such as BO and NetBus do not show up in the task list, but a less complex
program/less experienced programmer might forget about this or just not
know how to hide it.  If it is visible only in a low-level process viewer,
Windows95 users will have to download one.  Windows98 users can install
one optionally, and WindowsNT users have one installed by default.

The user will probably have to kill the process before removing the file,
or else they will get the message "This file is in use by Windows".

I don't have a URL for a Windows95 process viewer since I don't use
Windows95.  I'm sure several users would appreciate a post from anyone who
might have one.

It's too bad this has to happen, but what can we do...


- Kameron Gasso
  krg () lockdown net