Rodrigo,
It appears to be a variant of the sdbot / rbot / rxbot family of IRC bots.
Here is an analysis I did on these that may help.
http://www.nitroguard.com/rxbot.html If you run Snort there are a couple of
signatures that may help there as well. Run a "Netstat -ano" command and
look for anything running on ports 113 or 5000.
The topic of the channel you saw, !advscan lsass_445 100 5 0 -r", is not
actually the topic. This is the command is sent to the bot when it joins the
channel. This command tells the bot to scan 100 machines by running 5
threads looking for ones that are vulnerable to the Microsoft LSASS
vulnerability, if I remember correctly. -r may be recursive....it's been a
while since I looked at the source. Based on what you provided I would say
that the LSASS patch may not have been applied to that machine.
The 8000 users you saw were actually 8000 machines that were infected with
this same IRC bot. That?s a good sized botnet.
Good Luck.
--Chris
--
Christopher Harrington, CISSP
Senior Security Engineer
NitroData Systems
230 Commerce Way, #325
Portsmouth, NH 03801
603-766-8160
603-766-8169 Fax
-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Rodrigo Ventura
Sent: Thursday, November 04, 2004 12:40 PM
To: focus-virus@securityfocus.com
Subject: a new virus?
This looks like a new virus; OfficeScan is unable to find it, as well as
other well-known commercial AV software. Here goes the syntoms:
- exploits port 445; massively tries random IPs in the same subnet the
machine is on; this leads to a ARP storm;
- opens a backdoor at some port; responds to connections to that port with
the message "220 StnyFtpd 0wns j0"; this may look like WORM_KIBUV.B, but its
behaviour differs w.r.t. the other syntoms;
- opens an IRC connection to the IP 66.219.107.140 port 31375; I intercepted
these two messages:
(1) "PRIVMSG #Exploit :[lsass_445]: Exploiting "
(2) ":HyperX.DarK.Com 404 nirjwmd #Exploit :No "
and the IRC server identifies itself as "HyperX.DarK.Com (¤DarK¤ NeTworKs
Root Server)";
- one of the infected machines identifies itself to the IRC server as
"nirjwmd (ssmyn@DarK-EC2CC4A9.ist.utl.pt)";
^^^^^^^^^^----> this is my domain
Moreover, I found out there is a whole irc network behind that, and that a
infected PC tries randomly one from a pool of IP addresses. I got these:
66.219.107.140, 216.117.164.236, 216.117.152.69, all from port 31375. These
irc nets are active, since I tryed one of them, and was z-lined (killed)
with a human/hacker-like message: "You have been killed by ` for
Root-AdminiStrator.At.DarK.Com!` (whassup?? whattu looking fer?)". So this
seems active hacker activity. I also found out a channel called #NinjaX with
about 8000 users, but the server prevented me from listing them, as well as
listing all channels, etc. BTW, the topic of the channel was "!advscan
lsass_445 100 5 0 -r".
Any clues? Any place where it may be useful to report this info to?
I also found out that killing the process called winxp2.exe stopped the
storms. After deleting the winxp2.exe file from the disk
(c:\windows\system32) seemed to fix the problem. But I don't know if there
is still something left.
Cheers,
Rodrigo
--
*** Rodrigo Martins de Matos Ventura <yoda@isr.ist.utl.pt>
*** Web page: http://www.isr.ist.utl.pt/~yoda
*** Teaching Assistant and PhD Student at ISR:
*** Instituto de Sistemas e Robotica, Polo de Lisboa
*** Instituto Superior Tecnico, Lisboa, PORTUGAL
*** PGP fingerprint = 0119 AD13 9EEE 264A 3F10 31D3 89B3 C6C4 60C6 4585
