mIRC Trojan Variant - port 445 worm/Trojan

[<kyle () kylelai com>]

Symantec added a variant of mIRC Trojan to its virus definition on
2/13/2003, and the worm/Trojan was based the older mIRC Trojan (ocxdll.exe/
taskmngr.exe). The original analysis is at
http://www.klcconsulting.net/mirc_virus_analysis.htm

I saw a more than usual port 445 activities on incidents.org around 2/8-2/9,
and again on the last few days, so I cross-checked Symantec site, and found
the mIRC worm/Trojan variant, Backdoor.IRC.Zcrew.  This variant used port
445 like the older ocxdll.exe Trojan.  As I did some more research, I
noticed that TrendMicro analyzed this variant back in 12/3/2002, so I guess
it was not new, but just re-spreading.

I am curious how many people have seen this activities?
If you have a copy of this virus, can you contact me?  I am interested in
analyzing this worm/Trojan file(s).

Symantec -
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.zcrew.h
tml
TrendMicro -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FLOOD.B
I.DR

Thanks,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klai () klcconsulting net
www.klcconsulting.net

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.454 / Virus Database: 253 - Release Date: 2/10/2003


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com