Security Incidents mailing list archives
Re: possible new irc worm
From: Axel Pettinger <api () epost de>
Date: Sat, 28 Jun 2003 23:23:25 +0200
ZSisic wrote:
Hello everybody, As of today, we started noticing spamming bots or drones on our IRC network. They enter channels, scan for users, exit and spam users with following messages: <kyzclvqfc> EEEEEEETHHHOOOM! MINDJAIL!! HE IS TRAPPED!! GET HIM OUT! http://61.48.32.73:3030/mindjail.zip <pwdujizao> Ever heard of a thing called mindjail? Check it: http://61.106.85.184:3030/mindjail.zip Did anybody else notice this behavior? It seems to be a new work. I searched on Google for "mindjail", but my search did not return anything.
"mindjail.zip" contains a HTML file, "mindjail.html", which drops and executes "javax.sun.base.exe" (MD5: 286b884697dffd5a535295dcf5a4c6ea) on vulnerable systems - see "Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part II", <http://www.securityfocus.com/archive/1/313174>, for more information about the vulnerability. "javax.sun.base.exe" is an upx'ed SdBot variant. It tries to connect to "hk.zxy0.com" [64.156.241.176]. The most anti virus scanners fail to detect the exploit code and the backdoor trojan. But a few scanners report the following: [MINDJAIL.HTML] Dialogue Science DrWebWCL : Trojan.SelfExecHtml GeCAD RAVAV : HTML/CodeBaseExec* Kaspersky Lab KAVDOS32 : TrojanDropper.JS.Mimail.b Symantec NAV CE VSCAND : Trojan.Sefex [JAVAX.SUN.BASE.EXE] GeCAD RAVAV : Backdoor:IRC/SdBot Kaspersky Lab KAVDOS32 : Backdoor.SdBot.gen Regards, Axel Pettinger ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- possible new irc worm ZSisic (Jun 27)
- Re: possible new irc worm Becky (Jun 27)
- Re: possible new irc worm rewt (Jun 27)
- Re: possible new irc worm Chris Ess (Jun 28)
- Re: possible new irc worm Paolo Monti (Jun 28)
- Re: possible new irc worm Chris Ess (Jun 28)
- Re: possible new irc worm Axel Pettinger (Jun 28)
- Re: possible new irc worm Chris Ess (Jun 29)