Security Incidents mailing list archives
mIRC Zombie, port 445
From: Tino Didriksen <sfo () projectjj dk>
Date: 19 Jan 2003 02:03:38 -0000
I have observed a zombie/trojan on a zombie IRC network that apparently infects vulnerable computers through port 445. There are constantly about 980 zombies performing netblock wide scans for IPs with port 445 vulnerable. A copy of the Zombie in it's original form: URL: http://irc.projectjj.dk/Files.exe.zombie Needs to be renamed to files.exe, though. DO NOT RUN THIS FILE BEFORE READING THROUGH! When run, it will create C:\winnt\INF\other regardless of %windir% (an obvious mistake from the creator), but the BAT files in the dir does indicate it makes the zombie run at boot. Anyways, these files are created for sure: C:\winnt\INF\other\hide.exe C:\winnt\INF\other\mdm.exe C:\winnt\INF\other\psexec.exe C:\winnt\INF\other\taskmngr.exe C:\winnt\INF\other\nt32.ini C:\winnt\INF\other\remote.ini C:\winnt\INF\other\secureme C:\winnt\INF\other\win32.mrc C:\winnt\INF\other\BACKUP.BAT C:\winnt\INF\other\seced.bat C:\winnt\INF\other\start.bat - hide.exe is used by start.bat to effectively cloak that it's installing itself. - mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite innocent otherwise. - psexec.exe seems to be a remote tool...unknown... - taskmngr.exe is in reality mIRC v5.70, an IRC client. - nt32.ini, remote.ini, win32.mrc are all mIRC INI/script files. - secureme appears to be INI sections for making it run at boot... - The BATs are minor utils. When activated, it uses mIRC (taskmngr.exe) to connect to an IRC server: Server: bots.bounceme.net Port: 7000 Channel: #Nova It will generate a random name. And then it waits for the master to activate it. The network is limited to 990 clients, but it is nearly always full, and since people go on/off, then I figure several thousand computers are infected. Sample from the log: <OURW40101> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»-- <OURW40101> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445] <XZGW53604> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»-- <XZGW53604> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445] <XJNH54935> [Found 18.232.0.71]: Attempting to Infect <XJNH54935> [Found 18.232.0.84]: Attempting to Infect <XJNH54935> [Found 18.232.0.86]: Attempting to Infect <XJNH54935> [Found 18.232.0.91]: Attempting to Infect ...etc... Well, hope this is of any help. First time I'm posting here... -- Tino Didriksen / projectjj.dk ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- mIRC Zombie, port 445 Tino Didriksen (Jan 22)
- RE: mIRC Zombie, port 445 Michael LaSalvia (Jan 23)
- <Possible follow-ups>
- Re: mIRC Zombie, port 445 Sami Rautiainen (Jan 23)
- strange traffic Wim Mees (Jan 25)
- Re: strange traffic kris carlier (Jan 26)
- strange traffic Wim Mees (Jan 25)
- RE: mIRC Zombie, port 445 Michael LaSalvia (Jan 25)