Vulnerability Development mailing list archives

Re: ICQ 2000

From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Mon, 25 Oct 1999 22:03:15 -0700


there is a program called ICQ 2000 that claim to be a new
pre vertion of ICQ.
It's kind of suspective thing.

Can any one from here check this program and tell if it's
dangerous or not?

The site is:
http://download-icq2000.hypermart.net/


It's almost certainly a trojan.

I ran it, and it didn't appear to do anything.

(Of course, my sniffer, regmon, and filemon had another story to tell.)

While it sat there "hung" it was advertising itself... to ICQ users:

HTTP: ----- Hypertext Transfer Protocol -----
      HTTP:
      HTTP: Line  1:  POST /scripts/WWPMsg.dll HTTP/1.0
      HTTP: Line  2:  Host: wwp.icq.com
      HTTP: Line  3:  Accept: www/source, text/html, video/mpeg,
image/jpeg, image
      HTTP:           /x-tiff
      HTTP: Line  4:  Accept: image/x-rgb, image/x-xbm, image/gif, */*,
applicatio
      HTTP:           n/postscript
      HTTP: Line  5:  Content-type: application/x-www-form-urlencoded
      HTTP: Line  6:  Content-Length: 181
      HTTP: Line  7:
      HTTP:
HTTP: ----- Hypertext Transfer Protocol -----
      HTTP:
      HTTP: Line  1:  from=ICQ&fromemail=ICQ&subject=ICQ2000&body=Try the
newest I
      HTTP:           CQ v.2000 now!!!           Available at:
http://
      HTTP:           download-icq2000.hypermart.net/&to=42401866&Send=Send
Messag
      HTTP:           e
      HTTP:

Basically, it looks like it's a trojan/worm that uses ICQ users (i.e.
people) as it's transport.  A brief glance at the registry and file access
indicates no obvious attempt to "install" itself.  It does a bit of poking
at the registry, IE files, ports, and modem settings, but I beliebe that is
because it looks like it's using the IE code to pull and post web pages per
above.

The ICQ user id's look random for the few I checked.  There is no obvious
pattern.  It just kept trying over and over again, until I killed it via
ctrl-alt-del (there was no window.)

I used NAI's SnifferPro, but any Windows sniffer should work.  FileMon and
RegMon are both available via www.sysinternals.com .

As I said, it looks harmless, but don't blame me if you run it and it eats
your hard drive.

                                                        BB

Current thread:

forged packets? Kelvin Fu (Oct 25)
- Re: forged packets? CyberPsychotic (Oct 24)
- Re: forged packets? Ryan Permeh (Oct 25)
  - Re: forged packets? Ron DuFresne (Oct 26)
- Re: forged packets? ctor (Oct 25)
- ICQ 2000 Elias Levy (Oct 25)
  - Re: ICQ 2000 Blue Boar (Oct 25)
    - Re: ICQ 2000 Sean Burford (Oct 25)
    - Re: ICQ 2000 Brad Griffin (Oct 26)
  - icq2000 Brad Griffin (Oct 26)
  - Re: ICQ 2000 Damm, Mike (Oct 26)
    - Re: ICQ 2000 Brad Griffin (Oct 26)
    - FreeBSD listen() 3APA3A (Oct 27)
    - Re: FreeBSD listen() CyberPsychotic (Oct 27)
    - Re: FreeBSD listen() 3APA3A (Oct 29)
    - Re: FreeBSD listen() Matthew S. Hallacy (Oct 30)
    - Fw: Trojan/Worm on one of your pages and spams ICQ users. BrainMaster (Oct 28)

(Thread continues...)