mIRC Zombie, port 445

From: Tino Didriksen (sfoat_private)
Date: Sat Jan 18 2003 - 18:03:38 PST

Next message: John Pugh: "Re: Hacked web server"

Previous message: Axel Beckert: "Re: Strange Apache logs - maybe DDOS?"
Next in thread: pjat_private: "Re: mIRC Zombie, port 445"
Reply: pjat_private: "Re: mIRC Zombie, port 445"
Reply: Jeff Bollinger: "Re: mIRC Zombie, port 445"
Reply: Michael LaSalvia: "RE: mIRC Zombie, port 445"
Reply: Sami Rautiainen: "Re: mIRC Zombie, port 445"
Reply: Andreas Str|m: "Re: mIRC Zombie, port 445"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) I have observed a zombie/trojan on a zombie IRC network that apparently infects vulnerable computers through port 445. There are constantly about 980 zombies performing netblock wide scans for IPs with port 445 vulnerable. A copy of the Zombie in it's original form: URL: http://irc.projectjj.dk/Files.exe.zombie Needs to be renamed to files.exe, though. DO NOT RUN THIS FILE BEFORE READING THROUGH! When run, it will create C:\winnt\INF\other regardless of %windir% (an obvious mistake from the creator), but the BAT files in the dir does indicate it makes the zombie run at boot. Anyways, these files are created for sure: C:\winnt\INF\other\hide.exe C:\winnt\INF\other\mdm.exe C:\winnt\INF\other\psexec.exe C:\winnt\INF\other\taskmngr.exe C:\winnt\INF\other\nt32.ini C:\winnt\INF\other\remote.ini C:\winnt\INF\other\secureme C:\winnt\INF\other\win32.mrc C:\winnt\INF\other\BACKUP.BAT C:\winnt\INF\other\seced.bat C:\winnt\INF\other\start.bat - hide.exe is used by start.bat to effectively cloak that it's installing itself. - mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite innocent otherwise. - psexec.exe seems to be a remote tool...unknown... - taskmngr.exe is in reality mIRC v5.70, an IRC client. - nt32.ini, remote.ini, win32.mrc are all mIRC INI/script files. - secureme appears to be INI sections for making it run at boot... - The BATs are minor utils. When activated, it uses mIRC (taskmngr.exe) to connect to an IRC server: Server: bots.bounceme.net Port: 7000 Channel: #Nova It will generate a random name. And then it waits for the master to activate it. The network is limited to 990 clients, but it is nearly always full, and since people go on/off, then I figure several thousand computers are infected. Sample from the log: <OURW40101> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»-- <OURW40101> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445] <XZGW53604> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»-- <XZGW53604> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445] <XJNH54935> [Found 18.232.0.71]: Attempting to Infect <XJNH54935> [Found 18.232.0.84]: Attempting to Infect <XJNH54935> [Found 18.232.0.86]: Attempting to Infect <XJNH54935> [Found 18.232.0.91]: Attempting to Infect ...etc... Well, hope this is of any help. First time I'm posting here... -- Tino Didriksen / projectjj.dk ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: John Pugh: "Re: Hacked web server"
Previous message: Axel Beckert: "Re: Strange Apache logs - maybe DDOS?"
Next in thread: pjat_private: "Re: mIRC Zombie, port 445"
Reply: pjat_private: "Re: mIRC Zombie, port 445"
Reply: Jeff Bollinger: "Re: mIRC Zombie, port 445"
Reply: Michael LaSalvia: "RE: mIRC Zombie, port 445"
Reply: Sami Rautiainen: "Re: mIRC Zombie, port 445"
Reply: Andreas Str|m: "Re: mIRC Zombie, port 445"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 01:34:32 PST