Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

a new virus?

from [Rodrigo Ventura] Network Security [Permanent Link]
Subject: a new virus?
Date: Thu, 04 Nov 2004 17:39:54 +0000 

This looks like a new virus; OfficeScan is unable to find it, as well
as other well-known commercial AV software. Here goes the syntoms:

- exploits port 445; massively tries random IPs in the same subnet the
machine is on; this leads to a ARP storm;

- opens a backdoor at some port; responds to connections to that port
with the message "220 StnyFtpd 0wns j0"; this may look like
WORM_KIBUV.B, but its behaviour differs w.r.t. the other syntoms;

- opens an IRC connection to the IP 66.219.107.140 port 31375; I
intercepted these two messages:

(1) "PRIVMSG #Exploit :[lsass_445]: Exploiting "
(2) ":HyperX.DarK.Com 404 nirjwmd #Exploit :No "

and the IRC server identifies itself as "HyperX.DarK.Com (¤DarK¤
NeTworKs Root Server)";

- one of the infected machines identifies itself to the IRC server as
"nirjwmd (ssmyn@DarK-EC2CC4A9.ist.utl.pt)";
                              ^^^^^^^^^^----> this is my domain

Moreover, I found out there is a whole irc network behind that, and
that a infected PC tries randomly one from a pool of IP addresses. I
got these: 66.219.107.140, 216.117.164.236, 216.117.152.69, all from
port 31375. These irc nets are active, since I tryed one of them, and
was z-lined (killed) with a human/hacker-like message: "You have been
killed by ` for Root-AdminiStrator.At.DarK.Com!` (whassup?? whattu
looking fer?)". So this seems active hacker activity. I also found out
a channel called #NinjaX with about 8000 users, but the server
prevented me from listing them, as well as listing all channels,
etc. BTW, the topic of the channel was "!advscan lsass_445 100 5 0 -r".

Any clues? Any place where it may be useful to report this info to?

I also found out that killing the process called winxp2.exe stopped
the storms. After deleting the winxp2.exe file from the disk
(c:\windows\system32) seemed to fix the problem. But I don't know if
there is still something left.

Cheers,

Rodrigo

-- 

*** Rodrigo Martins de Matos Ventura <yoda@isr.ist.utl.pt>
***  Web page: http://www.isr.ist.utl.pt/~yoda
***   Teaching Assistant and PhD Student at ISR:
***    Instituto de Sistemas e Robotica, Polo de Lisboa
***     Instituto Superior Tecnico, Lisboa, PORTUGAL
*** PGP fingerprint = 0119 AD13 9EEE 264A 3F10  31D3 89B3 C6C4 60C6 4585
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Adware/Spyware (maybe a virus) that limits connectivity for windows network interface, Dan Denton
Next by Date:  RE: a new virus?, Chris Harrington
Previous by Thread:  RE: Adware/Spyware (maybe a virus) that limits connectivity for windows network interface, Dan Denton
Next by Thread:  RE: a new virus?, Chris Harrington
Indexes:  [Date] [Thread] [Top] [All Lists]