ICQ 2000 trojan/worm (VD#5)

From: Blue Boar (BlueBoarat_private)
Date: Sat Nov 06 1999 - 00:18:36 PST

Next message: Marc Slemko: "Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)"

Previous message: .rain.forest.puppy.: "mistake in "Antidote for RFPoison" (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-------------------------------------------------------------------
Periodically, the moderator of of the vuln-dev mailing list will post
summaries of issues discussed there to Bugtraq and possibly other relevant
lists.  This will usually happen when an issue has been resolved, or it
appears that there will be no further discussion on vuln-dev.  Each
separate issue will be given it's own posting to facilitate referencing
them separately, for discussion, forwarding, or appearance in vulnerability
databases.

To subscribe to vuln-dev, send an e-mail to listservat_private,
with the word SUBSCRIBE in the body of the message.

A FAQ and archive can be found at www.securityfocus.com-->forums-->vuln-dev
(click on these sections, the web pages are forms-based.)
-------------------------------------------------------------------

There exists a trojan/worm that purports to be a beta of "ICQ 2000".  This
program used to live here:

http://download-icq2000.hypermart.net/

Hypermart has since removed that site.  However, the assumption should be
made that the author will try again.  This note is intended to warn people
to be on the lookout for this MO.

When run, the program looks like it has hung.  In fact, as long as you
leave it running, it contacts ICQ users via the ICQ web interface, and
advertises itself (i.e. "Download ICQ2000 here...").  Hence the "worm"
part, though users must manually download and run it.

Analysis of disk and registry activity, as well as diffs of harddrives
after being run indicate no attempt to install itself on the harddrive.  It
*looks* like after it's killed, it is gone.  Of course, without an
exhaustive, complete decompile and analysis (which I don't expect anyone to
do) we can't be sure.  It could be doing something extremely clever in RAM,
waiting to strike another day.  The program appears to have been written in
Delphi, and looks like it uses Internet Explorer libraries.

If folks want a copy to analyze, I will be hanging onto my copy for a
while.  Mail me.

For the complete discussion, please see the vuln-dev archives.

						BB

Next message: Marc Slemko: "Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2)"
Previous message: .rain.forest.puppy.: "mistake in "Antidote for RFPoison" (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:52 PDT