Re: is there a new virus?

[Matt <matthew () textbox net>]

I don't use any AV software - I'm a Linux user. I was able to get the
bot off another computer that was infected and check the configuration
of the mirc.ini to get the update location (geocities). They have since
moved the update.exe and I didn't think to keep a copy of it... =-/
-- 
Matt <matthew () textbox net>
Textbox Networks

On Thu, 2003-06-19 at 04:53, Nick FitzGerald wrote:
> Hi Matt,
>
> > I have noticed an increase in irc bots using spreader methods, ...
>
> Yep.  Self-spreading, rather than just having a few simple vuln 
> scanning options that could be started through the bot and results 
> retrived later, or more recently, by running a full-featured vuln 
> scanner standalone and reporting the results back, has become very 
> popular in the bot market this year...
>
> > ... I came
> > across one recently that was bombing my IP over and over:
> >
> > Typical mIRC DDoS bot:
> > dosusal.exe (mIRC executable)
> > fasdal.exe
> > index.html (for web stats)
> > llpxy.exe
> > markmewd.exe (hide startup)
> > ox.ocx (main script file)
> > proxy.exe (starts proxies)
> > proxy.log
> > quale.dll (edited moo.dll)
> > sipal.exe
> > smqdate.exe (hidewindow)
> > sptr.exe
> > sqlme.exe
> > teaw.exe
> > wins.ini (mIRC.ini)
> > wire.exe
> > After checking it out it seems to have syn attacks, starting a proxy
> > server,e-mail spreading, sql spreading, iis spreading, netbios/local
> > network spreading, icq messaging.
>
> Although I can't say I've seen that specific one, the pattern is 
> certainly very familiar.  I presented a paper at AusCERT 2003 a month 
> or so back on an interesting side effect of this kind of thing -- 
> virus scanner developers are increasingly being sent "legitimate" 
> files that they cannot afford to add detection of because of false 
> positive detection issue  The copies of mIRC, Serv-U FTPD and so on 
> commonly used in these bot network kits are (usually) perfectly 
> "straight" copies of legitimate versions of those programs.  Further,
> the configuration, script and batch files that install these programs 
> and shape them into bot net agents are highly variable and thus very 
> difficult (if not impossible) to detect generically or heuristically.
>
> Anyway, was the one you describe above detected by your preferred 
> virus scanner(s)?  If not, please send the developers of the 
> scanner(s) copies of the files so they can add detection.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html