Not sure if this has already been posted here. cheers Reuben >X-Authentication-Warning: obscure.sekurity.org: majordomo set sender to owner-isnat_private using -f >Date: Wed, 2 Sep 1998 05:54:21 -0600 (MDT) >From: mea culpa <jerichoat_private> >To: InfoSec News <isnat_private> >Subject: [ISN] Another BO detector that is actually a trojan >X-NoSpam: Pursuant to US Code; Title 47; Chapter 5; Subchapter II; 227 >X-NoSpam: any and all nonsolicited commercial E-mail sent to this address >X-NoSpam: is subject to a download and archival fee in the amount of $500 US. >X-NoSpam: E-mailing to this address denotes acceptance of these terms. >X-Noarchive: YES >X-Copyright: This e-mail copyright 1998 by jerichoat_private >Sender: owner-isnat_private >Reply-To: mea culpa <jerichoat_private> >x-unsubscribe: echo "unsubscribe isn" | mail majordomoat_private >x-infosecnews: x-loop, procmail, etc > > >Forwarded From: Ken Williams <jkwilli2at_private> > >-----BEGIN PGP SIGNED MESSAGE----- > > >Hi, > > I recently came across a program called "BoSniffer.zip" that the >author claims will "block key points in the registry from BO as well as >search for existing installs of the backdoor." > > Close examination has revealed that this is actually a BO server >with the "SpeakEasy" plugin installed. If you run "BoSniffer.exe", the >BoSniffer executable (read: BO Server Trojan w/ SpeakEasy) will "attempt >to log into a predetermined IRC server on channel #BO_OWNED with a random >username. It then proceeds to announce its IP address and a custom >message every few minutes." > > This program, "BoSniffer.zip" is currently being widely distributed >as a "cure for Back Orifice infections". It is probably being distributed >with other software packages and with other names too. Listed below are >relevant details about this program. > > >File Sizes (in bytes) >--------------------- >231068 BoSniffer.exe >108573 BoSniffer.zip > >MD5 fingerprints and strings (checksums) >---------------------------------------- >MD5 (BoSniffer.zip) = 2d75c4ac54b675778ff22f76f9a6a77f >MD5 ("string") = b45cffe084dd3d20d928bee85e7b0f21 > >MD5 (BoSniffer.exe) = 63748087b2e1598fcf34498b0295212e >MD5 ("string") = b45cffe084dd3d20d928bee85e7b0f21 > > >Evidence that BoSniffer.zip is really BO Server with SpeakEasy Plugin >--------------------------------------------------------------------- >sector 0x028C38 >irc.lightning.net:7000:Hey MASTER where are u!!! > >sector 0x0303F0 - sector 0x0306D8 >BO ButtPlugs and goodies...http://www.netninja.com/bo.html >AJ Reznor: The pierced, tattooed grand master god of flame wars! >Who is John Galt? >Yes, you too can own my box with this special introductory offer of $0.00! >I'm sad to see Kontrol Faktory go away. >Use Linux! >This box is now property of the Illuminati. ><<tap>> <<tap>> <<tap>>...Is this thing on? >Where do *YOU* want to go today?! > >sector 0x031848 >SpeakEasy.dll > >sector 0x0318A8 - sector 0x031980 >#BO_OWNED with IRC commands: >Own Me @ .NOTICE .JOIN #BO_OWNED host server :Owned USERNICK BO >.QUIT Psssst...Speakeasy was told to shut down >.NOTICE #BO_OWNED :Psssst...Speakeasy just started up > > >You get the idea by now, hopefully. > >Instructions on removing BO Servers from compromised servers can be >found at: http://www.iss.net/xforce/alerts/advise5.html >or by searching through the NTBUGTRAQ archives at: >http://ntbugtraq.ntadvice.com/archives/ > >If anyone wants a copy of BoSniffer.zip for further examination, send >email to Packet Storm Security at PacketStormat_private >Please note that we will disregard any non-corporate or suspicious >requests. > >Regards, > >Ken Williams > >Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml >E.H.A.P. Corporation http://www.ehap.org/ ehapat_private infoat_private >NCSU Comp Sci Dept http://www.csc.ncsu.edu/ jkwilli2at_private >PGP DSS/DH/RSA Keys http://www.genocide2600.com/cgi-bin/finger?tattooman > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQEVAwUBNerX1ZDw1ZsNz1IXAQF5UQf/VygM5JDLYU7TiDQn6Isa3sC9glgrGumU >snhykpFm3b4lYYnoZY+PQUabptp8KWfvB4Hf/4vc3sDJca62Zzh1QRgAzOnWbcPl >fA7+eQNn+bVn6k91TIaEfllhA4CMB/U8L21pPBIuL4KYOmPyB/qXprRyqrg06AQ7 >KsdZ5krEYxrSVHJa1TcFws1OCoQeK7sX9C3x/Ys9v42k3nGthVJw3UAXTCisf3av >glUe0jvDsMGtT9pFnq9Mg/iHeMA+uHMOGjkdU9/PDDunJ9DBht49ZLLAxdfy6nYH >5PuQMH268XsCDbT/aFxYem8iYe8oPDgGDFFQSQ4j8bLjQR+RpPr5Aw== >=c3QA >-----END PGP SIGNATURE----- > >-o- >Subscribe: mail majordomoat_private with "subscribe isn". >Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com] >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:51 PDT