Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New IRC Worm?

From: Gadi Evron <ge () linuxbox org>
Date: Wed, 26 May 2004 09:19:57 +0200
Mister Coffee wrote:


Good day,

I'm an admin on a small IRC network and take a personal interest in dealing with all the various worms that seem to cruise by.  Recently, we've seen a 
spate of connections where a "user" signs in, jumps into a channel and spews "http://<client IP>/<random>.exe" then channel hops. 
 Usually repeated several times before it either disconnects or is killed by an oper.

Relatively typical bot behavior.  I was able to download the virus to a *NIX box for posterity.  Strings output caught the 
somewhat odd "tate()dextromethorphan" in the body.  Evidently this is a drug found in cough medicine and subject to 
abuse?

In any case, I was curious to know if anyone else had seen this.  File size is 45568 and I can make it available if someone 
wants to examine it.  I suspect an ago/gao/phat/etc/bot variant but figured I'd ask before deconstructing.

TIA


Provided with the sample I looked into it.
I haven't done any exhaustive study, but from a first glance there are a few things I can tell you about it.
It looks a bit like an IRCbot. Both the binary and the behavior you describe on IRC. but I don't think it is. Most AV's don't detect it, those who do detect it heuristically agree that it is an IRCbot as well. 

It is double-packed, using PE_Patch and UPX. VB - yuck.

Kaspersky calls it Backdoor.VB.qa.
NAI identifies it as Dextro, a p2p worm (W32/Dextro.worm!p2p).
NAV identifies it as IRCbot.
Obviously, further study is required, but if it is Dextro, it is low-level threat according to Mcafee. Here is their analysis: 

http://vil.nai.com/vil/content/v_125652.htm
VB.. yuck. I suppose this is enough for your needs? Let me know if you need anything else, such as removal instructions for your IRC users. 

MD5: 42c02e3038b08fa3955454223c1889f9

        Gadi Evron.

--
Email: ge () linuxbox org.  Work: gadie () cbs gov il. Backup: ge () warp mx dk.
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc 
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450
Previous By Date Next
Previous By Thread Next

Current thread: