IRC-New trojan ?
Results 1 to 2 of 2

Thread: IRC-New trojan ?

  1. #1

    IRC-New trojan ?

    Recently (a couple of days back) we were under some sort of attack of spambots in IRC.
    They were advertising a .zip file on some server called mindjail.zip .
    I am sorry but I do not have the full link to the .zip anymore.

    Anyway it was quite obvious that it was some sort of automated proccess because the spamming bots came in at a reasonable speed and had random nick-names.
    The IRC (unerror) contains people who reckonize this kinda thing and so nobody (I hope ) was stupid enough to download/execute the files that were advertised.

    I took the change and downloaded the dot zip file to a slackware testing machine.
    Here is what I found out.

    First I did a 'file' on the mindjail.zip.
    Turned out to be a valid zipfile version 2 required.
    Unzipped it.
    There was a comment in the zip file stating 'Im lame, but im not a kiddie heh'.
    The zipfile contained one file: 'mindjail.html'. I renamed the file mindjail.txt
    Once again a 'file' was in place. This is the output:
    mindjail.html: MIME entity text
    Immediatly came to mind that this was prolly some IE MIME exploit.(as seen on bugtraq some time ago)
    So I did a 'cat' on the file.
    This was the header of the .html: '
    MIME-Version: 1.0
    Content-Location:file:///javax.sun.base.exe
    Content-Transfer-Encoding: base64
    '
    and then the base64 encoded string.

    Went back to a Windows box and decoded the base64 coded program to a file named unknown.001
    Copied to floppy and run a linux file on it. It told me that it was a Win 386 PE exe.
    However when I loaded up a hexeditor on the file it gave me a bunch of crap.
    It seems to be a UPXed file (UPX is a file compressor). It gave me UPX2.
    Now my question is: Does anyone know any good programs to decrompress this file to see the actual contents of the .exe ?
    I tried UPX from sourceforge but it kept telling me "upx: c:\safe\unknown.exe: CantUnpackException: file is possibly modified/hacked/
    protected; take care!"

    The discussion has hit security focus:
    http://www.securityfocus.com/archive...7/2003-07-03/0 (original message)
    http://www.securityfocus.com/archive/75 (security focus archive:check for 'possible new irc worm')

    If anyone could shed some light on this issue I would be very delighted.
    I run AV and TAUSCAN on all the .ZIP the .HTML and the .001 (exe) file and none was found.

    I did not attach the file for (imo) obvious reasons. If you feel I should just let me know.
    btw. The worm stopped all of a sudden (check the sec-focus for the exact date) and we have not seen it since.

    Thank you.
    noODle

  2. #2
    Senior Member
    Join Date
    Jul 2002
    Location
    Texas
    Posts
    168
    As a update on the worm the bots that were connecting to the irc showed up today again. Now they are able to join channels on their own when before they could not. This gets around the solution of turning off channel autojoin to block them. I'll keep everyone posted about the subject as I see it unfold.

    Ive yet to open up the zip that noodle was so gracious in giving me that will be in the next couple days though, and you will be informed how that went as well.

    Edit

    The bots new message: <hikaRiBy^k26> Pretty Malaysian Actress NAKED Picture On http://wave.prohosting.com/prop3rty/malay.zip No ****!!
    <chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides