Security Incidents mailing list archives
Re: possible new irc worm
From: Paolo Monti <paolo.monti () effetime it>
Date: Sat, 28 Jun 2003 21:10:04 +0200
At 01.52 28/06/2003 -0400, Chris Ess wrote:
What I've come up with so far is this: The vector appears to be a zip file that contains an HTML file. The HTML file has, at the beginning of it, a base64-encoded executable of some sort.
Yes, I decoded easily the MIME stuff using WinZip. Here you are a quick & dirty analisys. The file decoded is a Win32 PE executable compressed by UPX: it is a new variant of Backdoor.SdBot, an IRC RAT that permits to malicious people to control PCs where the backdoor has been installed. On execution, the backdoor copies itself on the %Sysdir% folder and modifies the Registry to be executed automatically at every system startup: Values added: 2 --------------- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "hpsched" Type: REG_SZ Data: hpsched.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "hpsched" Type: REG_SZ Data: hpsched.exe I wrote "on the fly" a detection/removal tool, by the way. People interested may download it here: http://www.nod32.it/cgi-bin/mapdl.pl?tool=Mindjail ciao, Paolo. --- Future Time S.r.l. tel +39-06-5034227 Distributore esclusivo NOD32 e Outpost fax +39-06-5037078 e-mail: paolo.monti () effetime it www.nod32.it NOD32, il piu' veloce e preciso antivirus del mondo, parola di Virus Bulletin ************************ Proteggi il tuo mondo digitale *************************** ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- possible new irc worm ZSisic (Jun 27)
- Re: possible new irc worm Becky (Jun 27)
- Re: possible new irc worm rewt (Jun 27)
- Re: possible new irc worm Chris Ess (Jun 28)
- Re: possible new irc worm Paolo Monti (Jun 28)
- Re: possible new irc worm Chris Ess (Jun 28)
- Re: possible new irc worm Axel Pettinger (Jun 28)
- Re: possible new irc worm Chris Ess (Jun 29)