-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "- psexec.exe seems to be a remote tool...unknown..." psexec allows you to run commands on a Windows server remotely: http://www.sysinternals.com/ntw2k/freeware/psexec.shtml Good analysis! Jeff - -- Jeff Bollinger, CISSP University of North Carolina IT Security Analyst 105 Abernethy Hall mailto: jeff_bollinger@unc dot edu Tino Didriksen wrote: | | I have observed a zombie/trojan on a zombie IRC network that apparently | infects vulnerable computers through port 445. | | There are constantly about 980 zombies performing netblock wide scans for | IPs with port 445 vulnerable. | | A copy of the Zombie in it's original form: | URL: http://irc.projectjj.dk/Files.exe.zombie | Needs to be renamed to files.exe, though. | DO NOT RUN THIS FILE BEFORE READING THROUGH! | | When run, it will create C:\winnt\INF\other regardless of %windir% (an | obvious mistake from the creator), but the BAT files in the dir does | indicate it makes the zombie run at boot. | | Anyways, these files are created for sure: | C:\winnt\INF\other\hide.exe | C:\winnt\INF\other\mdm.exe | C:\winnt\INF\other\psexec.exe | C:\winnt\INF\other\taskmngr.exe | C:\winnt\INF\other\nt32.ini | C:\winnt\INF\other\remote.ini | C:\winnt\INF\other\secureme | C:\winnt\INF\other\win32.mrc | C:\winnt\INF\other\BACKUP.BAT | C:\winnt\INF\other\seced.bat | C:\winnt\INF\other\start.bat | | - hide.exe is used by start.bat to effectively cloak that it's installing | itself. | - mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite | innocent otherwise. | - psexec.exe seems to be a remote tool...unknown... | - taskmngr.exe is in reality mIRC v5.70, an IRC client. | - nt32.ini, remote.ini, win32.mrc are all mIRC INI/script files. | - secureme appears to be INI sections for making it run at boot... | - The BATs are minor utils. | | When activated, it uses mIRC (taskmngr.exe) to connect to an IRC server: | Server: bots.bounceme.net | Port: 7000 | Channel: #Nova | It will generate a random name. | | And then it waits for the master to activate it. | | The network is limited to 990 clients, but it is nearly always full, and | since people go on/off, then I figure several thousand computers are | infected. | | Sample from the log: | <OURW40101> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»-- | <OURW40101> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445] | <XZGW53604> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»-- | <XZGW53604> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445] | <XJNH54935> [Found 18.232.0.71]: Attempting to Infect | <XJNH54935> [Found 18.232.0.84]: Attempting to Infect | <XJNH54935> [Found 18.232.0.86]: Attempting to Infect | <XJNH54935> [Found 18.232.0.91]: Attempting to Infect | ...etc... | | Well, hope this is of any help. First time I'm posting here... | | -- Tino Didriksen / projectjj.dk | | - ---------------------------------------------------------------------------- | This list is provided by the SecurityFocus ARIS analyzer service. | For more information on this free incident handling, management | and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+LpbxvoVlxVBmgsURAmsUAKCeBnc1dOCj62UTKAqZJmO/Quv9LACfeHiY wnV+qWqoU/HHX+xusIVI2io= =Af/X -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 09:46:57 PST