Security Incidents mailing list archives

Re: possible new irc worm

From: Axel Pettinger <api () epost de>
Date: Sat, 28 Jun 2003 23:23:25 +0200

ZSisic wrote:


Hello everybody,

As of today, we started noticing spamming bots or drones on our IRC 
network. They enter channels, scan for users, exit and spam users with 
following messages:

<kyzclvqfc> EEEEEEETHHHOOOM! MINDJAIL!! HE IS TRAPPED!! GET HIM OUT!
http://61.48.32.73:3030/mindjail.zip



<pwdujizao> Ever heard of a thing called mindjail? Check it:
http://61.106.85.184:3030/mindjail.zip



Did anybody else notice this behavior? It seems to be a new work. I 
searched on Google for "mindjail", but my search did not return 
anything.


"mindjail.zip" contains a HTML file, "mindjail.html", which drops and
executes "javax.sun.base.exe" (MD5: 286b884697dffd5a535295dcf5a4c6ea) on
vulnerable systems - see "Self-Executing HTML: Internet Explorer 5.5 and
6.0 Part II", <http://www.securityfocus.com/archive/1/313174>, for more
information about the vulnerability.

"javax.sun.base.exe" is an upx'ed SdBot variant. It tries to connect to
"hk.zxy0.com" [64.156.241.176].

The most anti virus scanners fail to detect the exploit code and the
backdoor trojan. But a few scanners report the following:

[MINDJAIL.HTML]

    Dialogue Science DrWebWCL  : Trojan.SelfExecHtml
    GeCAD RAVAV                : HTML/CodeBaseExec*
    Kaspersky Lab KAVDOS32     : TrojanDropper.JS.Mimail.b
    Symantec NAV CE VSCAND     : Trojan.Sefex

[JAVAX.SUN.BASE.EXE]

    GeCAD RAVAV                : Backdoor:IRC/SdBot
    Kaspersky Lab KAVDOS32     : Backdoor.SdBot.gen


Regards,
Axel Pettinger

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

possible new irc worm ZSisic (Jun 27)
- Re: possible new irc worm Becky (Jun 27)
- Re: possible new irc worm rewt (Jun 27)
  - Re: possible new irc worm Chris Ess (Jun 28)
    - Re: possible new irc worm Paolo Monti (Jun 28)
- Re: possible new irc worm Axel Pettinger (Jun 28)
  - Re: possible new irc worm Chris Ess (Jun 29)