Vulnerability Development mailing list archives
Re: ICQ 2000
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Mon, 25 Oct 1999 22:03:15 -0700
there is a program called ICQ 2000 that claim to be a new pre vertion of ICQ. It's kind of suspective thing. Can any one from here check this program and tell if it's dangerous or not? The site is: http://download-icq2000.hypermart.net/
It's almost certainly a trojan. I ran it, and it didn't appear to do anything. (Of course, my sniffer, regmon, and filemon had another story to tell.) While it sat there "hung" it was advertising itself... to ICQ users: HTTP: ----- Hypertext Transfer Protocol ----- HTTP: HTTP: Line 1: POST /scripts/WWPMsg.dll HTTP/1.0 HTTP: Line 2: Host: wwp.icq.com HTTP: Line 3: Accept: www/source, text/html, video/mpeg, image/jpeg, image HTTP: /x-tiff HTTP: Line 4: Accept: image/x-rgb, image/x-xbm, image/gif, */*, applicatio HTTP: n/postscript HTTP: Line 5: Content-type: application/x-www-form-urlencoded HTTP: Line 6: Content-Length: 181 HTTP: Line 7: HTTP: HTTP: ----- Hypertext Transfer Protocol ----- HTTP: HTTP: Line 1: from=ICQ&fromemail=ICQ&subject=ICQ2000&body=Try the newest I HTTP: CQ v.2000 now!!! Available at: http:// HTTP: download-icq2000.hypermart.net/&to=42401866&Send=Send Messag HTTP: e HTTP: Basically, it looks like it's a trojan/worm that uses ICQ users (i.e. people) as it's transport. A brief glance at the registry and file access indicates no obvious attempt to "install" itself. It does a bit of poking at the registry, IE files, ports, and modem settings, but I beliebe that is because it looks like it's using the IE code to pull and post web pages per above. The ICQ user id's look random for the few I checked. There is no obvious pattern. It just kept trying over and over again, until I killed it via ctrl-alt-del (there was no window.) I used NAI's SnifferPro, but any Windows sniffer should work. FileMon and RegMon are both available via www.sysinternals.com . As I said, it looks harmless, but don't blame me if you run it and it eats your hard drive. BB
Current thread:
- forged packets? Kelvin Fu (Oct 25)
- Re: forged packets? CyberPsychotic (Oct 24)
- Re: forged packets? Ryan Permeh (Oct 25)
- Re: forged packets? Ron DuFresne (Oct 26)
- Re: forged packets? ctor (Oct 25)
- ICQ 2000 Elias Levy (Oct 25)
- Re: ICQ 2000 Blue Boar (Oct 25)
- Re: ICQ 2000 Sean Burford (Oct 25)
- Re: ICQ 2000 Brad Griffin (Oct 26)
- Re: ICQ 2000 Blue Boar (Oct 25)
- icq2000 Brad Griffin (Oct 26)
- Re: ICQ 2000 Damm, Mike (Oct 26)
- Re: ICQ 2000 Brad Griffin (Oct 26)
- FreeBSD listen() 3APA3A (Oct 27)
- Re: FreeBSD listen() CyberPsychotic (Oct 27)
- Re: FreeBSD listen() 3APA3A (Oct 29)
- Re: FreeBSD listen() Matthew S. Hallacy (Oct 30)
- Fw: Trojan/Worm on one of your pages and spams ICQ users. BrainMaster (Oct 28)