Re: possible new irc worm

From: Chris Ess <azarin(at)tokimi.net>
Date: Sat Jun 28 2003 - 01:52:16 EDT

> I attempted to grab that package in order to take a look at it, but the

I have a copy that someone else managed to snag. Jonathan, I'll send you a copy in another email. If anyone else wants it, please feel free to ask.

What I've come up with so far is this:

The vector appears to be a zip file that contains an HTML file. The HTML file has, at the beginning of it, a base64-encoded executable of some sort. Unfortunately, I lack the resources to analyze it further. (Anyone have a good x86 disassembler or decompiler they'd like to suggest?) The text of the document is output through javascript. Presumably it uses this to execute the embedded executable. I'm told this only works in IE but haven't seen fit to experiment myself. (Is this behavior expected or is it a bug?)

I have been told that as of 8:30 BST (GMT+0100), the worms appeared to have stopped. I would guess that this is some sort of timing routine built into the worm. Whether or not it'll restart again remains to be seen, but I haven't seen any activity for a while.

Sincerely,

Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Sat Jun 28 13:38:46 2003