PT-Girls-and-Boys Virus/Trojan

Hello fellow antivirus gurus.

An annoying virus/trojan is plaguing the users of IRC (Internet Relay Chat). This virus uses the well-known JS.Exception.Exploit to infect users via the web.

When a user goes to http://www.ptgirlsandboys.pt.vu, the page has an embedded frame that goes (currently) to
http://geocities.yahoo.com.br/dfhdfhbfdhbdfhd/index.html.

This page contains the code used to infect the user. I tried to attach it, but both my mail server and securityfocus's mail server denied the attachment. You can grab the source from:
view-source:http://geocities.yahoo.com.br/dfhdfhbfdhbdfhd/index.html

We at the UnderNet IRC Network would appreciate if some of you would help us get the sites that they use (http://www.ptgirlsandboys.pt.vu and http://geocities.yahoo.com.br/dfhdfhbfdhbdfhd/index.html) closed down so no more users can get infected.

The virus from what I tell creates two files in the mIRC directory on the infected user. The first is called "server.ini" and the second is randomly chosen and stored in a variable called "%file". The virus on the website then adds the two files to the loaded files list in the rfiles section of mirc.ini so they load automatically when the person opens their mIRC.

The virus forces the user to be in a channel called "#PT-girls-and-boys" on the IRC Network they are connected to. It "forbids" them to part it and spams random users that join in other chans they are in about the website so more people get infected.

We need help getting geocities.yahoo.com.br to close down the site and to get the domain that is used closed down. If somebody would help us with this, we would be much obliged and would help us clean tons of users of this annoying virus that plagues us.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Another person has mailed them (yahoo) 10+ times already, but they have not responded and more users are getting infected and we hit 250+ today and are still going up.

Please help us out with this matter since more users are getting infected everyday with it.

Thanks!
~reed
Reed Loden Received on Wed Dec 4 16:28:24 2002