Security Incidents mailing list archives

Ramen worm . More details on it. ( found a password and e-mails crypted inside it)

From: Mihai Moldovanu <mihaim () PROFM RO>
Date: Tue, 16 Jan 2001 22:19:30 +0200

I completed reverse engineering the ramen worm. There are 3 crypted text messages in the worm :
2 are email addresses :
Decrypted: "gb31337 () hotmail com" ,  in executable ->  "fa20226?gnsl`hk-bnl"
Decrypted: "gb31337 () yahoo com" ,   in executable ->  "fa20226?x`gnn-bnl"
and a crypted password :
Decrypted "bl3h"  ,   in executable -> "ak2g"
This texts can be found in almost all ELF worm executables.
Crypting algorithm is verry easy.

For each characted in crypted text add 1 and you will obtain the plain text
i used the following C code to decrypt :

for (i= 0 ;i<strlen(text) ;i++) a[i] = a[i] +1;

The asp executable ( the one wich get's installed in /sbin/asp and serve requests on 27374 )  has a strange getline 
function coded wich
seems to be specialy crafted to allow remote upload / execution of code . Unfortunately I can't prove that function 
have a buffer
overflow in it .




--
Lead programmer,
Mihai Moldovanu (mihaim () profm ro)
WEB:    http://tfm.profm.ro/
        http://www.slashdot.ro/

Current thread:

Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- - Re: anyone else seen an increase in sunrpc scans these days? Digital Overdrive (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Nathan W. Lindstrom (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
    - Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)
    - Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- Re: anyone else seen an increase in sunrpc scans these days? Mihai Moldovanu (Jan 15)
  - FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
    - Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)
    - Re: FTP and RPC based worms [was anyone else ...] Steve Clement (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? thomas lakofski (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Niels Heinen (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Edward Mitchell (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Timothy Lyons (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Alfred Huger (Jan 15)
  - Rise in rpc scans - Honeynet Project Lance Spitzner (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Ed Woodson (Jan 15)

(Thread continues...)