Next message: modem modem: "Re: Worm1800.exe on UnderNet"
I made a fast & small analyse of the Worm1800.exe.
When running the file, its adds an entry to the register:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\FONTS\FONTS\BAH\THIS\IS\TOO\EASY\HAH\WHVLXD.EXE
.%windowsfonts%\fonts\bah\this\is\too\easy\hah\
[PR.ini]
On start, It chekcs if the 'Hidefile' temp2.exe exists, else its closes down the IRC client.
If the file exists, it connects to the server: my-mom-says-im-a.linux-dude.com port: 6667 using a random nickname, from the
TEMP.SCR file.
Checks if port 9000 is free on the machine, then opens it. If port 9000 is not free it closed down the mIRC file. (not sure
what this is for)
some commands:
!login <password> - password is: BotNet (grants you 'master' access)
It has a build in bouncer function.
Also this 'file' seems to be some kind of update for older versions of this script.
It checks for files such as:
C:\WINDOWS\INF\g\temp.scr
C:\WINDOWS\bero\mirc.ini
C:\WINDOWS\web32\rb.exe
And removes them.
Other things it has, a simple portscanner, flood clones, channel commands.
[MIRC.INI]
'config' file for the mIRC client.
[GATES.TXT]
FIle with open proxies/wingates.
[TEMP.SCR]
File with random nicknames.
[mirc2.ini]
'Command scripts' - DOnt have time to list them all right now.
It chekcs if the 'Hidefile' temp2.exe exists, else its closes down the IRC client.
Some interesting commands are:
!Packet IP Ammount - uses ping.exe.
!wingate.load - uses the gates.txt file.
!fileserver.access - Opens up a fileserver, sharing c:\
!credits - returns: msg # %logo Credits:[To: Info_Hacker - Exter(MicroTech) - Silic0n�0] %logo
!ver - returns: msg # %logo «By» «Info_Hacker» - «Version» «3.0»
Rest of the comamnds are some basic operator & CTCP flood attacks, nothing fancy.
[WHVLXD.DAT]
Think this file checks if the entry was added into the register, not sure.
[WHVLXD.EXE]
No idea.
[infonet.mrc]
Simple mail bomber.
Usage: !Mail-Bomb <mailserver> <to> <subject> <message>
[moo.dll]
See sysinfo.mrc.
[scan.txt]
Scans people onjoin for port 27374 (sub7), 1243 (old sub7 port), 12345 (netbus)
Messages the main channel when open port is found.
usage: !Tscan [start/stop/help]
[cisco.ini]
Scans for cisco enabled/consoled routers (open port 23), sends string: consolepass, enable, enablepass'
Found consoled routers are saved to: scan\consoled.txt
Found enabled routers are saved to: scan\enable.txt
Usage: !ciscoscan [stop(optional)] IP range (XX.XX.)
[sysinfo.mrc]
sysinfo.mrc tells you what type of Cpu you have, shows memory and free memory, screen resolution and Operating system by
reading the moo.dll file.
[remote.ini]
variables
[TEMP2.exe]
Hides/Reveals the mIRC client
[infonet2.ini]
some simple scripts & commands.
(bouncer/portscanner/(CTCP/PRIVMSG)floods)
[temp2.exe]
'HideFile' hides the mIRC client.
[spam.mrc]
Spam script, message person who joins channel client is in.
usage: !Spam Server Port Message
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30
: Sat Jun 22 2002 - 00:45:29 PDT