Hello Dbarba and other bugtraqers, Since most of you are in cluebie land about this little sploit, Let me inform you what is really going on.. Ok boys and girls lets review.. First of all its a self extracting file which extracts a script file which is loaded via the trojans DDE client intern connecting to mIRC's DDE server and executing a load -rs. (to load the exploitable script file) The script which it loads does not take effect until the user restarts mIRC in which case the event "on start" triggers. On start it connects to the predefined URL via mIRC sockets (Port 80). The danger with this particular script it auto loads is that inside the script code it contains events which automatically dcc send the binary (trojan exe) to other users, which results in mass distribution. To make sure you are not exploitable, In mIRC click on the menu item "Tools" and then "Remote" and delete any suspicious loaded script files which may be present.. Best Regards, Derek mailto:derekat_private myn@efnet Friday, 2 October 1998, you wrote: d> Please forward this on to the appropriate people if necessary. d> GeoCities is currently experiencing a DOS attack that appears to be d> spread by a trojan horse in a mIRC script. d> GeoCities is receiving thousands of HTTP requests from thousands of d> unique computers daily for a file that no longer exists on our d> servers. d> The specific count for one minute on Friday, September 25 at 10:17 am d> was 3,522 hits, d> 1,492 of them were from unique IP's. For the time period of 3 am to d> 10:17am d> on 9/25 we had 3,562 unique IPs request this one file. It does not d> appear to be d> specifically requested by the user of that computer. This request d> uses d> no browser and is usually requesting the file every 30 seconds while d> the d> user is connected to the Internet. The requests are coming from d> around d> the world and have been slowly building up since at least August 18, d> 1998 (the farthest back our access logs go). d> The attack is requesting a file from our site: d> http://www.geocities.com/Area51/Stargate/5845/nfo.zip d> The complete content of the 5845 directory was: nfo.zip, nfo.jpg, d> servers.zip, servers.jpg, users.zip and users.jpg. When I looked at d> the d> binary files by doing a cat, the users jpg & zip files were the d> same, but the d> other files were all unique. d> It does not use a browser or store cookies. At the moment, the file d> being d> requested is of zero size. When there is a file of size , originally d> it was 8k d> and I later inserted a short note to contact me regarding the attack d> into the d> nfo.zip file, at which time the attack becomes much worse on the d> Windows d> machines that are requesting the file. d> Also, an odd note, there are a couple machines that are requesting d> the file named d> nfo.jpg. Those are reqeusted every minute instead of every 30 d> seconds. d> I have contacted a user that complained about GeoCities attacking d> him. d> In reality, his computer was asking for the nfo.zip file from us d> every d> 30 seconds, and that was flooding his connection to the internet. I d> have worked with him closely since he found the problem. He only d> uses d> IRC. In fact, the first time he visited our website is after the d> attack d> started, when he was looking for a contact name and number. He does d> not d> surf the internet. He has subsequently reinstalled his OS and that d> has d> completely stopped the attack. d> We did find an entry in his registry with the following setting: d> /microsoft/windowsexplorer/doc/find/spec/mru d> a) " " d> b) 5845 d> c) nfo d> d) bo d> e) nfo.zip d> f) winrar d> g) msvbvm60.dll d> h) loadwc d> i) stargate d> j) area51 d> mrulist) eadcbjihgf d> When the user deleted the registry entry, the attack from his d> machine d> went from 1 GET every 30 seconds to 1 GET every second. After about d> 10 d> minutes, it started slowing up and finally settled into about 1 GET d> every 17-20 seconds. d> I also asked our ISP to help track some of this and this was their d> result. "All the IP's d> I've scanned so far from the log have several UDP ports open in the d> 31337 range d> (what Back Orifice uses)." d> So, we really need to find the source instead of asking everyone to d> reinstall their OS. It might also be necessary to inform the various d> virus-detection software vendors to try to eradicate this from all of d> the machines that currently have it installed. d> Thank you for your help, d> Debbie Barba d> SysAdmin d> dbarbaat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:39 PDT