Re: Worm1800.exe on UnderNet?

From: Kelly Brown (kellybat_private)
Date: Thu Jun 20 2002 - 15:59:01 PDT

Next message: K. Graham: "Re: Worm1800.exe on UnderNet?"

Previous message: Ryan Russell: "Re: Worm1800.exe on UnderNet?"
In reply to: cw: "Worm1800.exe on UnderNet?"
Next in thread: K. Graham: "Re: Worm1800.exe on UnderNet?"
Reply: K. Graham: "Re: Worm1800.exe on UnderNet?"
Reply: bonkat_private: "Re: Worm1800.exe on UnderNet?"
Reply: cw: "FollowUp: Worm1800.exe on UnderNet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Did you look at the website.  They straight out say...

This Site was designed to help infected IRC users to find proper
information, the author does not accept any liability for any damage, loss
of data or loss of service caused by the use or misuse of this site. Use
at your own risk.

I don't know how you can misuse a website designed to infect people...

Anyway it looks like somebody connected with nohack.net may have something
to do with it.  If you are want to follow up you may want to email
webteamat_private as they are referenced in the web page source
code.  Maybe they can get the web site removed...  I doubt it but you
never know.



Kelly Brown
Unix System Administrator
Ericsson CDMA Systems

On Thu, 20 Jun 2002, cw wrote:

> Hi there folks,
> Twice in the past hour I have been messaged by two separate people on 
> UnderNet.
> 
> The message goes:
> :!Notice!: A Recent Port Scan on your Computer reveals that Port 1800 
> is in open state. This usually means that you have been infected with 
> an IRC Worm Virus. Please download the cleaner at: 
> http://www.No-Hack.Us/Fixes/Worm1800.exe to remove the virus from 
> your system. If you do not comply with this rule within 30 minutes, 
> our client monitor will ban you from this network. -Thanks For 
> Understanding. UNDERNet Exploit Team
> 
> The nicks have both been Under-XXX (where XXX is a different set of 
> numbers).
> 
> For one, I know that port 1800 is not open however the file 
> Worm1800.exe does not show up anything when scanned.
> 
> Both of the users that messaged me were on pacbell.net adsl
> 
> The domain no-hack.us was only registered 6 days ago.
> 
> I don't have the spare time or computer to have a further look into 
> what this file actually does, has anyone come across this yet and 
> know what it does or is anyone willing to investigate?
> -- 
> O- cw, cwat_private on 20/06/2002
> "Part man, part monkey. Baby that's me"
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: K. Graham: "Re: Worm1800.exe on UnderNet?"
Previous message: Ryan Russell: "Re: Worm1800.exe on UnderNet?"
In reply to: cw: "Worm1800.exe on UnderNet?"
Next in thread: K. Graham: "Re: Worm1800.exe on UnderNet?"
Reply: K. Graham: "Re: Worm1800.exe on UnderNet?"
Reply: bonkat_private: "Re: Worm1800.exe on UnderNet?"
Reply: cw: "FollowUp: Worm1800.exe on UnderNet?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 16:06:17 PDT