Security Incidents mailing list archives

Re: possible new irc worm

From: Chris Ess <azarin () tokimi net>
Date: Sat, 28 Jun 2003 01:52:16 -0400 (EDT)

I attempted to grab that package in order to take a look at it, but the
link seems to be dead. On top of that, the IP seems to be dead. Did you
get a chance to grab the archive earlier ? If so, please send it to me, no
need to post it to the list unless others want it.

I'm going on a drive tommorow, and it would be nice to have something to
occupy myself with :)


I have a copy that someone else managed to snag.  Jonathan, I'll send you
a copy in another email.  If anyone else wants it, please feel free to
ask.

What I've come up with so far is this:

The vector appears to be a zip file that contains an HTML file.  The HTML
file has, at the beginning of it, a base64-encoded executable of some
sort.  Unfortunately, I lack the resources to analyze it further.
(Anyone have a good x86 disassembler or decompiler they'd like to
suggest?)  The text of the document is output through javascript.
Presumably it uses this to execute the embedded executable.  I'm told this
only works in IE but haven't seen fit to experiment myself.  (Is this
behavior expected or is it a bug?)

I have been told that as of 8:30 BST (GMT+0100), the worms appeared to
have stopped.  I would guess that this is some sort of timing routine
built into the worm.  Whether or not it'll restart again remains to be
seen, but I haven't seen any activity for a while.

Sincerely,


Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

possible new irc worm ZSisic (Jun 27)
- Re: possible new irc worm Becky (Jun 27)
- Re: possible new irc worm rewt (Jun 27)
  - Re: possible new irc worm Chris Ess (Jun 28)
    - Re: possible new irc worm Paolo Monti (Jun 28)
- Re: possible new irc worm Axel Pettinger (Jun 28)
  - Re: possible new irc worm Chris Ess (Jun 29)