Security Incidents mailing list archives

Re: FW: Sub-7

From: o'neil.brooke () LMCO COM (Brooke, O'Neil)
Date: Fri, 9 Jun 2000 14:58:22 -0400

        When BO came out I noticed similar traffic. In the bo traffic it
became evident that individuals (or groups) were building up personal
networks of infected hosts.
        This situation is quite serious. Take a look at the time index of
this log file, see the number of infected hosts advertising in such a
short period? With this kind of traffic an individual could build a
network of several hundred nodes within a week or two.
        When I first saw thjs kind of activity back in 98, I tried to tell
people about it so some action could be taken to correct the
situation. Those words fell on deaf ears. Perhaps times have changed.
        Does anyone have any ideas on how to stop this kind of activity, or
the people that are involved?

Abel Wisman wrote on 8/6/00 4:06 pm:

this is output in a channel on irc:

17:10] *** Joins: cwc
[17:10] <cwc> Sub7Server v.2.1 installed on port: 27374, ip:
195.252.137.208 - victim: pechfregel - password: rasta
[17:10] *** Quits: dt018 (Leaving)
[17:10] *** Joins: kwxqry
[17:10] <kwxqry> Sub7Server v.2.1 installed on port: 27374, ip:
213.6.181.193 - victim: pechfregel - password: rasta
[17:10] <moxbj> Sub7Server v.2.1 installed on port: 27374, ip:
62.157.13.4 - victim: pechfregel - password: rasta
[17:10] <pjv> Sub7Server v.2.1 installed on port: 27374, ip:
192.168.10.52 - victim: pechfregel - password: rasta
[17:10] *** Joins: xakjbl
[17:10] <xakjbl> Sub7Server v.2.1 installed on port: 27374, ip:
62.224.173.111 - victim: pechfregel - password: rasta
[17:10] <paxlp> Sub7Server v.2.1 installed on port: 27374, ip:
195.71.25.254 - victim: pechfregel - password: rasta
[17:10] <sjil> Sub7Server v.2.1 installed on port: 27374, ip:
195.131.87.73 - victim: pechfregel - password: rasta
[17:11] <fwwm> Sub7Server v.2.1 installed on port: 27374, ip:
62.224.200.40 - victim: pechfregel - password: rasta
[17:11] *** Joins: yagc
[17:11] <yagc> Sub7Server v.2.1 installed on port: 27374, ip:
213.6.119.91 - victim: pechfregel - password: rasta
[17:12] <bstdm> Sub7Server v.2.1 installed on port: 27374, ip:
193.159.1.191 - victim: pechfregel - password: rasta
[17:12] <uen> Sub7Server v.2.1 installed on port: 27374, ip:
-193.0.81.2-192.168.171.26-193.159.10.204- - victim: pechfregel -
password: rasta

(attached log)

abel wisman

ABLE-TOWERS is a division of UROwear Llc which in turn is a division
of ABLE Consultancy Holding BV

we recommend you visit these pages:

www.able-towers.com (hosting)
www.ul.org (domainregistration)
www.nut-shell.com (webdesign)
www.webdesignsdirect.com (webdesign)

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Khan, Mansoor
Sent: maandag 5 juni 2000 19:49
To: INCIDENTS () SECURITYFOCUS COM
Subject: Sub-7

I was wondering if any one has any experience with this Trojan
(Sub-7).  am interested in finding out if it sends info through a
general broadcast to chat rooms.  Additionally, what specific info
does it send (from a w-95 machine) e.g. registry settings, user ids
and passwords etc.

Thanks,
Current thread:

FW: Sub-7 Abel Wisman (Jun 08)
- <Possible follow-ups>
- Re: Sub-7 PARKIN, MICHAEL (PBI) (Jun 08)
- Re: FW: Sub-7 Brooke, O'Neil (Jun 09)