Security Incidents mailing list archives

Re: possible new irc worm

From: Paolo Monti <paolo.monti () effetime it>
Date: Sat, 28 Jun 2003 21:10:04 +0200

At 01.52 28/06/2003 -0400, Chris Ess wrote:

What I've come up with so far is this:

The vector appears to be a zip file that contains an HTML file.  The HTML
file has, at the beginning of it, a base64-encoded executable of some
sort.


Yes, I decoded easily the MIME stuff using WinZip. Here you are a quick & dirty analisys. The file decoded is a Win32 
PE executable compressed by UPX: it is a new variant of Backdoor.SdBot, an IRC RAT that permits to malicious people to 
control PCs where the backdoor has been installed. On execution, the backdoor copies itself on the %Sysdir% folder and 
modifies the Registry to be executed automatically at every system startup:

Values added: 2
---------------
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "hpsched"
                Type: REG_SZ
                Data: hpsched.exe
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "hpsched"
                Type: REG_SZ
                Data: hpsched.exe

I wrote "on the fly" a detection/removal tool, by the way. People interested may download it here:

http://www.nod32.it/cgi-bin/mapdl.pl?tool=Mindjail

ciao,
Paolo.
---
Future Time S.r.l.                                             tel  +39-06-5034227
Distributore esclusivo NOD32 e Outpost             fax +39-06-5037078
e-mail: paolo.monti () effetime it                          www.nod32.it 

NOD32, il piu' veloce e preciso antivirus del mondo, parola di Virus Bulletin
************************ Proteggi il tuo mondo digitale ***************************


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

possible new irc worm ZSisic (Jun 27)
- Re: possible new irc worm Becky (Jun 27)
- Re: possible new irc worm rewt (Jun 27)
  - Re: possible new irc worm Chris Ess (Jun 28)
    - Re: possible new irc worm Paolo Monti (Jun 28)
- Re: possible new irc worm Axel Pettinger (Jun 28)
  - Re: possible new irc worm Chris Ess (Jun 29)