Security Incidents mailing list archives
Re: New IRC Worm?
From: Gadi Evron <ge () linuxbox org>
Date: Wed, 26 May 2004 09:19:57 +0200
Mister Coffee wrote:
Good day, I'm an admin on a small IRC network and take a personal interest in dealing with all the various worms that seem to cruise by. Recently, we've seen a spate of connections where a "user" signs in, jumps into a channel and spews "http://<client IP>/<random>.exe" then channel hops. Usually repeated several times before it either disconnects or is killed by an oper. Relatively typical bot behavior. I was able to download the virus to a *NIX box for posterity. Strings output caught the somewhat odd "tate()dextromethorphan" in the body. Evidently this is a drug found in cough medicine and subject to abuse? In any case, I was curious to know if anyone else had seen this. File size is 45568 and I can make it available if someone wants to examine it. I suspect an ago/gao/phat/etc/bot variant but figured I'd ask before deconstructing. TIA
Provided with the sample I looked into it.I haven't done any exhaustive study, but from a first glance there are a few things I can tell you about it.
It looks a bit like an IRCbot. Both the binary and the behavior you describe on IRC. but I don't think it is. Most AV's don't detect it, those who do detect it heuristically agree that it is an IRCbot as well.
It is double-packed, using PE_Patch and UPX. VB - yuck. Kaspersky calls it Backdoor.VB.qa. NAI identifies it as Dextro, a p2p worm (W32/Dextro.worm!p2p). NAV identifies it as IRCbot.Obviously, further study is required, but if it is Dextro, it is low-level threat according to Mcafee. Here is their analysis:
http://vil.nai.com/vil/content/v_125652.htmVB.. yuck. I suppose this is enough for your needs? Let me know if you need anything else, such as removal instructions for your IRC users.
MD5: 42c02e3038b08fa3955454223c1889f9 Gadi Evron. -- Email: ge () linuxbox org. Work: gadie () cbs gov il. Backup: ge () warp mx dk. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450
Current thread:
- New IRC Worm? Mister Coffee (May 25)
- Re: New IRC Worm? Gadi Evron (May 26)