Hosting Provided By

mIRC Zombie, port 445

From: Tino Didriksen <sfo(at)projectjj.dk>
Date: Sat Jan 18 2003 - 21:03:38 EST

('binary' encoding is not supported, stored as-is)

I have observed a zombie/trojan on a zombie IRC network that apparently infects vulnerable computers through port 445.

There are constantly about 980 zombies performing netblock wide scans for IPs with port 445 vulnerable.

A copy of the Zombie in it's original form: URL: http://irc.projectjj.dk/Files.exe.zombie Needs to be renamed to files.exe, though. DO NOT RUN THIS FILE BEFORE READING THROUGH! When run, it will create C:\winnt\INF\other regardless of %windir% (an obvious mistake from the creator), but the BAT files in the dir does indicate it makes the zombie run at boot.

Anyways, these files are created for sure:

C:\winnt\INF\other\hide.exe
C:\winnt\INF\other\mdm.exe
C:\winnt\INF\other\psexec.exe
C:\winnt\INF\other\taskmngr.exe
C:\winnt\INF\other\nt32.ini
C:\winnt\INF\other\remote.ini
C:\winnt\INF\other\secureme
C:\winnt\INF\other\win32.mrc
C:\winnt\INF\other\BACKUP.BAT
C:\winnt\INF\other\seced.bat
C:\winnt\INF\other\start.bat

hide.exe is used by start.bat to effectively cloak that it's installing itself.
mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite innocent otherwise.
psexec.exe seems to be a remote tool...unknown...
taskmngr.exe is in reality mIRC v5.70, an IRC client.
nt32.ini, remote.ini, win32.mrc are all mIRC INI/script files.
secureme appears to be INI sections for making it run at boot...
The BATs are minor utils.

When activated, it uses mIRC (taskmngr.exe) to connect to an IRC server: Server: bots.bounceme.net
Port: 7000
Channel: #Nova
It will generate a random name.

And then it waits for the master to activate it.

The network is limited to 990 clients, but it is nearly always full, and since people go on/off, then I figure several thousand computers are infected.

Sample from the log:
<OURW40101> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»--
<OURW40101> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445]
<XZGW53604> [LoGiN AcCePtEd] [User: HTYR22789] --«(Ma§ter)»--
<XZGW53604> [Scan Started] 18.1.1.1 to 18.255.255.255... [port:445]
<XJNH54935> [Found 18.232.0.71]: Attempting to Infect
<XJNH54935> [Found 18.232.0.84]: Attempting to Infect
<XJNH54935> [Found 18.232.0.86]: Attempting to Infect
<XJNH54935> [Found 18.232.0.91]: Attempting to Infect
...etc...

Do you need help?

Well, hope this is of any help. First time I'm posting here...

Tino Didriksen / projectjj.dk

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Jan 22 04:34:57 2003

This message: [ Message body ]
Next message: John Pugh: "Re: Hacked web server"
Previous message: Axel Beckert: "Re: Strange Apache logs - maybe DDOS?"
Next in thread: Jeff Bollinger: "Re: mIRC Zombie, port 445"
Reply: Jeff Bollinger: "Re: mIRC Zombie, port 445"
Reply: Michael LaSalvia: "RE: mIRC Zombie, port 445"
Reply: Andreas Str|m: "Re: mIRC Zombie, port 445"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT