It looks like it can be either a xdcc bot or an ddos bot. Basically port 445 is another netbios port used by windows 2000 and up. (not sure if the early o/s used it but from literature I read I don't think they do). It scans the systems with that port for the default Admin shares. Most of the times these shares of no password, default password or a easy password. The shares usually include IPC$ or C$, that it looks for. Although I seen others scan through the whole alphabet. To help stop the spread you should google "default admin shares" In there you will find the exact registry entry for the o/s you have. This will permantley remove the share. Hoped this helped. -----Original Message----- From: Tino Didriksen [mailto:sfoat_private] Sent: Saturday, January 18, 2003 9:04 PM To: incidentsat_private Subject: mIRC Zombie, port 445 I have observed a zombie/trojan on a zombie IRC network that apparently infects vulnerable computers through port 445. There are constantly about 980 zombies performing netblock wide scans for IPs with port 445 vulnerable. A copy of the Zombie in it's original form: URL: http://irc.projectjj.dk/Files.exe.zombie Needs to be renamed to files.exe, though. DO NOT RUN THIS FILE BEFORE READING THROUGH! When run, it will create C:\winnt\INF\other regardless of %windir% (an obvious mistake from the creator), but the BAT files in the dir does indicate it makes the zombie run at boot. Anyways, these files are created for sure: C:\winnt\INF\other\hide.exe C:\winnt\INF\other\mdm.exe C:\winnt\INF\other\psexec.exe C:\winnt\INF\other\taskmngr.exe C:\winnt\INF\other\nt32.ini C:\winnt\INF\other\remote.ini C:\winnt\INF\other\secureme C:\winnt\INF\other\win32.mrc C:\winnt\INF\other\BACKUP.BAT C:\winnt\INF\other\seced.bat C:\winnt\INF\other\start.bat - hide.exe is used by start.bat to effectively cloak that it's installing itself. - mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite innocent otherwise. - psexec.exe seems to be a remote tool...unknown... - taskmngr.exe is in reality mIRC v5.70, an IRC client. - nt32.ini, remote.ini, win32.mrc are all mIRC INI/script files. - secureme appears to be INI sections for making it run at boot... - The BATs are minor utils. When activated, it uses mIRC (taskmngr.exe) to connect to an IRC server: Server: bots.bounceme.net Port: 7000 Channel: #Nova It will generate a random name. And then it waits for the master to activate it. The network is limited to 990 clients, but it is nearly always full, and since people go on/off, then I figure several thousand computers are infected. Sample from the log: <OURW40101> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»-- <OURW40101> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445] <XZGW53604> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»-- <XZGW53604> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445] <XJNH54935> [Found 18.232.0.71]: Attempting to Infect <XJNH54935> [Found 18.232.0.84]: Attempting to Infect <XJNH54935> [Found 18.232.0.86]: Attempting to Infect <XJNH54935> [Found 18.232.0.91]: Attempting to Infect ...etc... Well, hope this is of any help. First time I'm posting here... -- Tino Didriksen / projectjj.dk ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 10:03:16 PST