Security Incidents mailing list archives

Re: Worm1800.exe on UnderNet?

From: Kelly Brown <kellyb () sd us am ericsson se>
Date: Thu, 20 Jun 2002 15:59:01 -0700 (PDT)

Did you look at the website.  They straight out say...

This Site was designed to help infected IRC users to find proper
information, the author does not accept any liability for any damage, loss
of data or loss of service caused by the use or misuse of this site. Use
at your own risk.

I don't know how you can misuse a website designed to infect people...

Anyway it looks like somebody connected with nohack.net may have something
to do with it.  If you are want to follow up you may want to email
webteam () nohack net as they are referenced in the web page source
code.  Maybe they can get the web site removed...  I doubt it but you
never know.



Kelly Brown
Unix System Administrator
Ericsson CDMA Systems

On Thu, 20 Jun 2002, cw wrote:

Hi there folks,
Twice in the past hour I have been messaged by two separate people on 
UnderNet.

The message goes:
:!Notice!: A Recent Port Scan on your Computer reveals that Port 1800 
is in open state. This usually means that you have been infected with 
an IRC Worm Virus. Please download the cleaner at: 
http://www.No-Hack.Us/Fixes/Worm1800.exe to remove the virus from 
your system. If you do not comply with this rule within 30 minutes, 
our client monitor will ban you from this network. -Thanks For 
Understanding. UNDERNet Exploit Team

The nicks have both been Under-XXX (where XXX is a different set of 
numbers).

For one, I know that port 1800 is not open however the file 
Worm1800.exe does not show up anything when scanned.

Both of the users that messaged me were on pacbell.net adsl

The domain no-hack.us was only registered 6 days ago.

I don't have the spare time or computer to have a further look into 
what this file actually does, has anyone come across this yet and 
know what it does or is anyone willing to investigate?
-- 
O- cw, cw () fidei co uk on 20/06/2002
"Part man, part monkey. Baby that's me"


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Worm1800.exe on UnderNet? cw (Jun 20)
- Re: Worm1800.exe on UnderNet? Alex Lambert (Jun 20)
- Re: Worm1800.exe on UnderNet? Jean-Luc (Jun 20)
  - Re: Worm1800.exe on UnderNet? Ryan Russell (Jun 20)
- Re: Worm1800.exe on UnderNet? Kelly Brown (Jun 20)
  - Re: Worm1800.exe on UnderNet? K. Graham (Jun 21)
  - Re: Worm1800.exe on UnderNet? bonk (Jun 21)
  - FollowUp: Worm1800.exe on UnderNet? cw (Jun 21)
    - Re: FollowUp: Worm1800.exe on UnderNet? Ryan Russell (Jun 21)
- <Possible follow-ups>
- RE: Worm1800.exe on UnderNet? Darren Windham (Jun 20)