Full Disclosure mailing list archives
Re: Disney Down?
From: John Smith <vun.list () gmail com>
Date: Wed, 17 Aug 2005 11:40:47 -0400
I joined said IRC channel, and the topic is ".ntscan 100 120 -a -b" so it appears to be joining the channel and getting paramaters for this "ntscan program"
--M Jan Nielsen wrote:
I was at a customer today with this problem, initially their network wasacting up and some ppl, couldn't logon to the servers in the morning. We found the file "kilo.exe" on some machines that apparently had notbeen patched, one thing I noticed while running this file on a vmware xp sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128 and logs in to it with password : 146751dhzx Then it sets a few commands : JOIN #100+ MODE #100+ +nts Which for an RBOT virus in itself is nothing special, but I noticed one thing in my sniffer trace that got me a bit worried, this is a packet sent from the infected pc to the irc server : 0000 00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00 ..S+....).g...E. 0010 00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc .S..@....F..d.=. 0020 d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18 .1... "..[....P. 0030 3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31 ?1....PRIVMSG #1 0040 30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a 00+ :[.NTScan.]: 0050 20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d Weakpassword... 0060 0a . Anyone know what this could be ? Regards Jan -----Original Message-----From: sk3tch () sk3tch net [mailto:sk3tch () sk3tch net] Sent: 17. august 2005 00:54To: cdwilde () gmail com; full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] Disney Down? MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe) Trend Micro: WORM_RBOT.CBQ - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO T.CBQ Symantec: Win32.Zotob.E McAfee: exploit-dcomrpc Kaspersky: Net-Worm.Win32.Small.d This is what is on CNN right now. -----Original Message----- From: full-disclosure-bounces () lists grok org uk on behalf of David Wilde Sent: Tue 8/16/2005 5:13 PM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] Disney Down?A buddy of mine who's fiance works for Disney just told me that theyhave sent everyone home for the day. When I say everyone I mean, Disney Land, Disney World, Disney Corporate, etc... He's not sure what the virus is called but it's apparently very nasty. Anyone have any more info on this? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Disney Down?, (continued)
- RE: Disney Down? Larry Seltzer (Aug 17)
- Re: Disney Down? Micheal Espinola Jr (Aug 17)
- RE: Disney Down? Larry Seltzer (Aug 17)
- Re: Disney Down? Fergie (Paul Ferguson) (Aug 16)
- RE: Disney Down? Andre Protas (Aug 16)
- RE: Disney Down? sk3tch (Aug 16)
- RE: Disney Down? Poof (Aug 16)
- Re: Disney Down? xyberpix (Aug 17)
- Re: Disney Down? Morning Wood (Aug 16)
- RE: Disney Down? Jan Nielsen (Aug 17)
- Re: Disney Down? John Smith (Aug 17)
- RE: Disney Down? Jan Nielsen (Aug 17)
- RE: Disney Down? Michael Young (Aug 17)
- RE: Disney Down? Poof (Aug 16)
- RE: Disney Down? fd (Aug 17)
- Re: Disney Down? Mike Sawicki (Aug 17)
- Re: Disney Down? Technica Forensis (Aug 19)
- Re: Disney Down? Donald J. Ankney (Aug 19)