new ddos client?

[Andy Shelley <andy () cbeyond net>]

File listing at the end.. you'll see that it includes files common to 
other mIRC based trojans.  More unique to this one is the inclusion of 
a blowfish library and some ActiveX controls.  Perhaps my Google skills 
are not so finely honed, but I couldn't find any previous mention of 
this particular zombie.  If someone has pointers to some in-depth 
analysis already performed on this package, I'd be interested.

Snort actually spotted the initial login of the trojan.  The packet 
payload included:
 length = 118

000 : 4E 49 43 4B 20 5B 70 41 5D 2D 38 33 34 31 38 0A   NICK [pA]-83418.
010 : 55 53 45 52 20 50 65 61 5E 52 68 61 6D 61 6E 5E   USER Pea^Rhaman^
020 : 20 22 6E 61 74 30 31 2E 64 68 63 70 2D 31 32 30    "nat01.dhcp-120
030 : 2E 63 6F 72 65 2D 32 2E 6F 63 34 38 2E 5B 70 41   .core-2.oc48.[pA
040 : 5D 2D 32 32 31 36 33 2E 67 6F 76 22 20 22 6D 79   ]-22163.gov" "my
050 : 67 69 72 6C 67 6F 74 2E 6E 61 69 6C 65 64 2E 6F   girlgot.nailed.o
060 : 72 67 22 20 3A 50 61 6E 69 63 20 41 74 74 61 63    rg" :Panic 
Attac
070 : 6B 20 32 2E 30 0A                                                           k 2.0.

For email clients that won't format that nicely, the text is:
NICK [pA]-83418.
USER Pea^Rhaman^
"nat01.dhcp-120.core-2.oc48.[pA]-22163.gov" "mygirlgot.nailed.org" 
:Panic Attack 2.0.

While I've made some attempt to delve the purpose of some of the 
components, I don't have the time to study it in detail.  I present it 
here for the group.

I've found the following files.  All were found in the \winnt\fonts 
directory on a Win2k machine.  Some of these files are common among 
other IRC kits.

The OCX files are ActiveX files for various functions.
DNS.oca
DNS.ocx
msccctl32.ocx
MSWINSCK.OCX
WhoIs.ocx
WINSCK.OCX

blowfish.dll - public domain blowfish encryption library
bootdrv.dll - non-malicious mIRC library that returns machine 
information
boywonder.dat - non-malicious text file
d2colour.exe - utility to hide windows
msfnt32i.exe - packet generator, used to generate the actual attack
wget.exe - utility used to retrieve files via HTTP or FTP
explorer.exe - modified version of the mIRC client.
Libparse.exe - utility that shows running processes and allows killing 
of processes
psexec.exe - utility that allows remote command execution
STDE9.exe - remote installer
svchost32.exe - another window hiding utility
mcon.dll - configuration file
moo.dll - library for mIRC that reports various machine statistics
MSWINSCK.DEP - dependency file for setup wizard
navdb.dbx - a list of names/words that the scripts use as IRC nicknames
sysmal.ini - mostly empty config file, probably just needs to exist

I have the above files in a tar.gz archive if previous examples are not 
available.

--
Andy Shelley
Cbeyond Communications
andy () cbeyond net


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>