[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

new strange worm

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: new strange worm
From: Alex Gen <alexei.h@xxxxxxxx>
Date: 12 Apr 2004 12:29:22 -0000


http://www.mikenoels.net/matrix.swf/index1.html (do _not_ open.)

Found a new sort of worm, at least I didn't find any information about this on 
any securitysite;

Creates a registry entry \HKEY_CURRENT_USER\Software\Microsoft\Search 
Assistant\ACMru\5603 and adds a file called "umcss.exe" to 
C:\windows(winnt)\system32. The exececutable spawns a connection to a 
irc-server called apollo.uplinkearth.com at port 6667. I'm asuming it's sitting 
in a channel there to create a DoS at a specific date or to give the owner of 
that irc-server problems.

it also adds a line in mirc.ini telling it to load a script called custom1.mrc, 
which adds a "on join" to remote, sending several messages to channel visitors, 
including one with the URL above.

regards,
Alex Gen

Prev by Date: [CLA-2004:837] Conectiva Security Announcement - mod_python
Next by Date: Microsoft Internet Explorer BMP file memory DoS vulnerability
Previous by thread: [CLA-2004:837] Conectiva Security Announcement - mod_python
Next by thread: Microsoft Internet Explorer BMP file memory DoS vulnerability
Index(es):
- Date
- Thread