Just a note on the port 445 type of worm/Trojans; they may or may not have a mIRC component. mIRC version of worm/Trojan is more popular though. I remember the Lioten (Iraq_oil) worm, which used port 445 with 100 thread when doing the scanning and spreading. It used the "guessable users" and "password dictionary" list, which is similar to the mIRC versions. More information can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lioten.html I have seen close to a dozen ocxdll.exe/taskmngr.exe/task32.exe type of worm/Trojan variants, and I have compiled a list of files that might represent worm/Trojan infections. This list is by no mean complete because new variants come out quite often, and the authors just renamed the files and spread the worm/Trojan again. You can find the worm/Trojan file list at http://www.klcconsulting.net/mirc_virus_analysis.htm There is one version of mIRC variant that included PStor.EXE file. This is a program to steal username and passwords stored via pstorec.dll, which include some IE and Web Outlook. PStor.EXE is actually the program pStoreReader, and you can find the .exe and source code at http://intex.ath.cx. I first saw this variant in 10/23/2002, and it has surfaced again. Cheers, /Kyle Kyle Lai, CISSP, CISA KLC Consulting, Inc. 617-921-5410 klaiat_private www.klcconsulting.net -----Original Message----- From: Johannes Ullrich [mailto:jullrichat_private] Sent: Wednesday, March 05, 2003 7:17 PM To: Brian McWilliams Cc: fixerat_private; incidentsat_private Subject: Re: TCP 445 Scan? Very likely the new worm. Like most of these "IRC animals", they are used to scan particular netblocks. So the impact is focused and less global compared to regular worms. On Tue, 04 Mar 2003 14:59:33 -0500 Brian McWilliams <brian@pc-radio.com> wrote: > http://www.viruslist.com/eng/viruslist.html?id=59741 > > > Worm.Win32.Randon > > Randon is a Virus-Worm distributed via IRC-channels and LANs with shared > resources. -- -------------------------------------------------------------------- jullrichat_private Collaborative Intrusion Detection join http://www.dshield.org ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003 ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Thu Mar 06 2003 - 15:03:47 PST