All files are now available seperately in: http://irc.projectjj.dk/files.exe.dir/ Or as a zip: http://irc.projectjj.dk/files.exe.dir/files.exe.dir.zip A word of warning, though, since running taskmngr.exe (mIRC) will make it autoinstall itself also. -- Tino Didriksen / Project JJ ----- Original Message ----- From: "Danny" <Dannyat_private> To: "'Tino Didriksen'" <sfoat_private> Sent: Wednesday, January 22, 2003 5:49 PM Subject: RE: mIRC Zombie, port 445 Tino, could you possibly post the mirc.ini (nt32.ini) on the web someplace, or zip up all the files and supply a URL. I don't have a test machine available at the moment so I don't want to run the exe to get them :) thanks in advance. Cheers Danny Network Security Engineer Drexel University Digital ID Print: 874f 1b77 470f 0b10 126e d8d2 c3a3 d52a 24ab 73c3 PGP Print: C6AD B205 E3C6 38AB 0164 6604 66F5 CCFC F4ED F1E0 PGP Key: http://akasha.irt.drexel.edu/danny.asc |>-----Original Message----- |>From: Tino Didriksen [mailto:sfoat_private] |>Sent: Saturday, January 18, 2003 9:04 PM |>To: incidentsat_private |>Subject: mIRC Zombie, port 445 |> |> |> |>I have observed a zombie/trojan on a zombie IRC network that apparently |>infects vulnerable computers through port 445. |> |>There are constantly about 980 zombies performing netblock wide scans for |>IPs with port 445 vulnerable. |> |>A copy of the Zombie in it's original form: |>URL: http://irc.projectjj.dk/Files.exe.zombie |>Needs to be renamed to files.exe, though. |>DO NOT RUN THIS FILE BEFORE READING THROUGH! |> |>When run, it will create C:\winnt\INF\other regardless of %windir% (an |>obvious mistake from the creator), but the BAT files in the dir does |>indicate it makes the zombie run at boot. |> |>Anyways, these files are created for sure: |>C:\winnt\INF\other\hide.exe |>C:\winnt\INF\other\mdm.exe |>C:\winnt\INF\other\psexec.exe |>C:\winnt\INF\other\taskmngr.exe |>C:\winnt\INF\other\nt32.ini |>C:\winnt\INF\other\remote.ini |>C:\winnt\INF\other\secureme |>C:\winnt\INF\other\win32.mrc |>C:\winnt\INF\other\BACKUP.BAT |>C:\winnt\INF\other\seced.bat |>C:\winnt\INF\other\start.bat |> |>- hide.exe is used by start.bat to effectively cloak that it's installing |>itself. |>- mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite |>innocent otherwise. |>- psexec.exe seems to be a remote tool...unknown... |>- taskmngr.exe is in reality mIRC v5.70, an IRC client. |>- nt32.ini, remote.ini, win32.mrc are all mIRC INI/script files. |>- secureme appears to be INI sections for making it run at boot... |>- The BATs are minor utils. |> |>When activated, it uses mIRC (taskmngr.exe) to connect to an IRC server: |>Server: bots.bounceme.net |>Port: 7000 |>Channel: #Nova |>It will generate a random name. |> |>And then it waits for the master to activate it. |> |>The network is limited to 990 clients, but it is nearly always full, and |>since people go on/off, then I figure several thousand computers are |>infected. |> |>Sample from the log: |><OURW40101> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»-- |><OURW40101> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445] |><XZGW53604> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»-- |><XZGW53604> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445] |><XJNH54935> [Found 18.232.0.71]: Attempting to Infect |><XJNH54935> [Found 18.232.0.84]: Attempting to Infect |><XJNH54935> [Found 18.232.0.86]: Attempting to Infect |><XJNH54935> [Found 18.232.0.91]: Attempting to Infect |>...etc... |> |>Well, hope this is of any help. First time I'm posting here... |> |>-- Tino Didriksen / projectjj.dk |> |>-------------------------------------------------------------------------- |>-- |>This list is provided by the SecurityFocus ARIS analyzer service. |>For more information on this free incident handling, management |>and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 11:20:01 PST