Recently (a couple of days back) we were under some sort of attack of spambots in IRC.
They were advertising a .zip file on some server called mindjail.zip .
I am sorry but I do not have the full link to the .zip anymore.
Anyway it was quite obvious that it was some sort of automated proccess because the spamming bots came in at a reasonable speed and had random nick-names.
The IRC (unerror) contains people who reckonize this kinda thing and so nobody (I hope ) was stupid enough to download/execute the files that were advertised.
I took the change and downloaded the dot zip file to a slackware testing machine.
Here is what I found out.
Now my question is: Does anyone know any good programs to decrompress this file to see the actual contents of the .exe ?First I did a 'file' on the mindjail.zip.
Turned out to be a valid zipfile version 2 required.
Unzipped it.
There was a comment in the zip file stating 'Im lame, but im not a kiddie heh'.
The zipfile contained one file: 'mindjail.html'. I renamed the file mindjail.txt
Once again a 'file' was in place. This is the output:
mindjail.html: MIME entity text
Immediatly came to mind that this was prolly some IE MIME exploit.(as seen on bugtraq some time ago)
So I did a 'cat' on the file.
This was the header of the .html: '
MIME-Version: 1.0
Content-Location:file:///javax.sun.base.exe
Content-Transfer-Encoding: base64
'
and then the base64 encoded string.
Went back to a Windows box and decoded the base64 coded program to a file named unknown.001
Copied to floppy and run a linux file on it. It told me that it was a Win 386 PE exe.
However when I loaded up a hexeditor on the file it gave me a bunch of crap.
It seems to be a UPXed file (UPX is a file compressor). It gave me UPX2.
I tried UPX from sourceforge but it kept telling me "upx: c:\safe\unknown.exe: CantUnpackException: file is possibly modified/hacked/
protected; take care!"
The discussion has hit security focus:
http://www.securityfocus.com/archive...7/2003-07-03/0 (original message)
http://www.securityfocus.com/archive/75 (security focus archive:check for 'possible new irc worm')
If anyone could shed some light on this issue I would be very delighted.
I run AV and TAUSCAN on all the .ZIP the .HTML and the .001 (exe) file and none was found.
I did not attach the file for (imo) obvious reasons. If you feel I should just let me know.
btw. The worm stopped all of a sudden (check the sec-focus for the exact date) and we have not seen it since.
Thank you.
noODle