Re: possible new irc worm

At 01.52 28/06/2003 -0400, Chris Ess wrote:

>What I've come up with so far is this:

Yes, I decoded easily the MIME stuff using WinZip. Here you are a quick & dirty analisys. The file decoded is a Win32 PE executable compressed by UPX: it is a new variant of Backdoor.SdBot, an IRC RAT that permits to malicious people to control PCs where the backdoor has been installed. On execution, the backdoor copies itself on the %Sysdir% folder and modifies the Registry to be executed automatically at every system startup:

Values added: 2

        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "hpsched"
                Type: REG_SZ
                Data: hpsched.exe
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "hpsched"
                Type: REG_SZ
                Data: hpsched.exe

I wrote "on the fly" a detection/removal tool, by the way. People interested may download it here:

http://www.nod32.it/cgi-bin/mapdl.pl?tool=Mindjail

ciao,
Paolo.

---
Future Time S.r.l.                                             tel  +39-06-5034227
Distributore esclusivo NOD32 e Outpost             fax +39-06-5037078
e-mail: paolo.monti@effetime.it                          www.nod32.it 

NOD32, il piu' veloce e preciso antivirus del mondo, parola di Virus Bulletin
************************ Proteggi il tuo mondo digitale ***************************


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek