Security Incidents mailing list archives
Ramen worm . More details on it. ( found a password and e-mails crypted inside it)
From: Mihai Moldovanu <mihaim () PROFM RO>
Date: Tue, 16 Jan 2001 22:19:30 +0200
I completed reverse engineering the ramen worm. There are 3 crypted text messages in the worm : 2 are email addresses : Decrypted: "gb31337 () hotmail com" , in executable -> "fa20226?gnsl`hk-bnl" Decrypted: "gb31337 () yahoo com" , in executable -> "fa20226?x`gnn-bnl" and a crypted password : Decrypted "bl3h" , in executable -> "ak2g" This texts can be found in almost all ELF worm executables. Crypting algorithm is verry easy. For each characted in crypted text add 1 and you will obtain the plain text i used the following C code to decrypt : for (i= 0 ;i<strlen(text) ;i++) a[i] = a[i] +1; The asp executable ( the one wich get's installed in /sbin/asp and serve requests on 27374 ) has a strange getline function coded wich seems to be specialy crafted to allow remote upload / execution of code . Unfortunately I can't prove that function have a buffer overflow in it . -- Lead programmer, Mihai Moldovanu (mihaim () profm ro) WEB: http://tfm.profm.ro/ http://www.slashdot.ro/
Current thread:
- Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- Re: anyone else seen an increase in sunrpc scans these days? Digital Overdrive (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Nathan W. Lindstrom (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- Re: anyone else seen an increase in sunrpc scans these days? Digital Overdrive (Jan 16)
- FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
- Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)
- Rise in rpc scans - Honeynet Project Lance Spitzner (Jan 15)