Full Disclosure mailing list archives

Re: AMDPatchB & InstallStub

From: "Russell Kaiser" <RKaiser () gwm sc edu>
Date: Wed, 17 Sep 2003 16:35:53 -0400

Might be a variant of W32/Gaobot.  This worm connects to an IRC server
on TCP port 9900.  Looking at the Auth/Ident response from the server it
looks like  an IRC server.

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.html


http://vil.nai.com/vil/content/v_100611.htm





Russell Kaiser
Network Security Engineer
Computer Services
University of South Carolina

"Michael Linke" <ml () intract org> 9/17/2003 3:05:33 PM >>>

At one of our Computers with Internet Access, I found a strange
program
running. 
amdpatchB.exe(38 KB)

This program is trying to get Internet Access while starting.
amdpatchB.exe is connecting 63.246.134.50:9900.
There is a text based protocol running on 63.246.134.50 at a service on
port
9900.
See Telnet output:
________________________________________________________
telnet 63.246.134.50 9900
Trying 63.246.134.50...
Connected to 63.246.134.50.
Escape character is '^]'.
NOTICE AUTH :*** Looking up your hostname
NOTICE AUTH :*** Checking Ident
NOTICE AUTH :*** Found your hostname
help
:Drones2.newiso.org 451 *  :Register first.
_________________________________________________________

I used Google to look for this filename but got no result.
Any ideas what this is?

Regards,
Michael

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: AMDPatchB & InstallStub Russell Kaiser (Sep 17)
- <Possible follow-ups>
- RE: AMDPatchB & InstallStub Noel, Marcus (Sep 17)