Re: Worm1800.exe on UnderNet?

["K. Graham" <kgraham () ican net>]

http://www.nohack.net does not have any connection with
http://www.No-Hack.Us/Fixes/Worm1800.exe  The people who look after
http://www.nohack.net are a group of individuals that are on the look out
for malicious users who prey on the unsuspecting internet user.

There are many malicious users that falsly represent themselves as being
associated with nohack.net.  They know that the individuals of
http://www.nohack.net have a good reputation for helping to eradicate
malicious scripts, submit new virii to well known anti-virus companies and
assist those in trouble.

There are 2 ways to get to nohack.net.  http://help.dal.net/Nohack or
http://www.nohack.net.  Accept no subsitutes.

I have alerted individuals involved with http://www.nohack.net.  The site
no-hack.us has litterally downloaded and implimented the old
http://www.nohack.net site pages for their own malicious purposes.   Once
again http://www.no-hack.us  is in no way associated with
http://www.nohack.net.

Kim / Zukee

zukee () dal net
zukee () nohack net


----- Original Message -----
From: "Kelly Brown" <kellyb () sd us am ericsson se>
To: "cw" <cw () fidei co uk>
Cc: <incidents () securityfocus com>
Sent: Thursday, June 20, 2002 6:59 PM
Subject: Re: Worm1800.exe on UnderNet?


> Did you look at the website.  They straight out say...
>
> This Site was designed to help infected IRC users to find proper
> information, the author does not accept any liability for any damage, loss
> of data or loss of service caused by the use or misuse of this site. Use
> at your own risk.
>
> I don't know how you can misuse a website designed to infect people...
>
> Anyway it looks like somebody connected with nohack.net may have something
> to do with it.  If you are want to follow up you may want to email
> webteam () nohack net as they are referenced in the web page source
> code.  Maybe they can get the web site removed...  I doubt it but you
> never know.
>
>
>
> Kelly Brown
> Unix System Administrator
> Ericsson CDMA Systems
>
> On Thu, 20 Jun 2002, cw wrote:
>
> > Hi there folks,
> > Twice in the past hour I have been messaged by two separate people on
> > UnderNet.
> >
> > The message goes:
> > :!Notice!: A Recent Port Scan on your Computer reveals that Port 1800
> > is in open state. This usually means that you have been infected with
> > an IRC Worm Virus. Please download the cleaner at:
> > http://www.No-Hack.Us/Fixes/Worm1800.exe to remove the virus from
> > your system. If you do not comply with this rule within 30 minutes,
> > our client monitor will ban you from this network. -Thanks For
> > Understanding. UNDERNet Exploit Team
> >
> > The nicks have both been Under-XXX (where XXX is a different set of
> > numbers).
> >
> > For one, I know that port 1800 is not open however the file
> > Worm1800.exe does not show up anything when scanned.
> >
> > Both of the users that messaged me were on pacbell.net adsl
> >
> > The domain no-hack.us was only registered 6 days ago.
> >
> > I don't have the spare time or computer to have a further look into
> > what this file actually does, has anyone come across this yet and
> > know what it does or is anyone willing to investigate?
> > --
> > O- cw, cw () fidei co uk on 20/06/2002
> > "Part man, part monkey. Baby that's me"
>
> --------------------------------------------------------------------------
--
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com