Not often I post to the list. Lately the IRC network I help run (away from work) has seen a large number of host connections with a pattern similar to numerous other trojan/malware infections that have an IRC element. Namely: Similar nicks, user@, and real name fields. In this case the nicks are all one of several similar patterns (repeats lead us to believe it may be chosen from a list), the User@ is always javauser@ (I haven't actually seen a legitimate java client with this ident, though there may well be one.) and the Real Name field is always a pattern of "nnnnn 1" where nnnnn is a five digit random number. Hosts have been spotted from all over the world. Cursory scans indicate the boxen involved are Windows systems running IIS. I'm wondering if anyone knows what Trojan or worm this is. We've encountered several others in the past, and this one isn't quite like any of the others. All the connections generate a low level of traffic as indicated by sub 2 minuite idle times. None of them join channels (as most floodnet bots do, so their controller can get to them) and none of them appear to respond to msg or dcc contacts. Is this an old one I've missed? A new one? A new config on an old worm? A large number of really strange java client users? Any insite would be appreciated. -M ---------------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-incidents2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Apr 10 2003 - 10:21:19 PDT