August 3rd, 2003, 11:26 AM
As per my usual Heads up.. only Higher risk Threats are listed here.. ie Symantec's Cat 2 or higher.
I am already a Post Whore so I won't post every new virus/worm/trojan/threats.. or I would be booted from this board..
For this one.. How well Patched is your WindBloze System.. sry Windoze
Symantec Info Page
This ones entry is due to its damage capability and Distribution Capability.
Summary of Threat
Ports: opens a remote shell on port 57005
Target of infection: IP addresses starting with 4, 12, 24, 64, 65, 68, 128,165, 208, 211, 213,217,218, or 220.
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Backdoor.IRC.Cirebot is a threat which exploits the Microsoft DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to install a backdoor Trojan Horse on vulnerable systems. Backdoor.IRC.Cirebot consists of a Backdoor component, and a Hacktool component which installs the backdoor on systems which are vulnerable to the exploit.
Signs of infection: the existence of the files c:\rpc.exe, c:\rpctest.exe, or c:\lolx.exe.
Signs that a network is being attacked: traffic on port 445 to sequential IP addresses.
Signs that an attack has succeeded (allowing a remote shell and downloading of the backdoor): port 57005 open; an ftp connection on port 69.
You may want to read about the Security Bulliten And here from MS that relates to this.
lolx.exe or dcomx.exe (26144 bytes) -- a backdoor trojan horse based on Sdbot.
Like all IRC trojans, it connects to irc, joins a channel, and waits for commands. Its capabilities include the following:
Using ICQ to send a notification message when the backdoor is started
Downloading and executing files.
Killing running processes.
Dynamically updating the installed Trojan.
Performing Denial of Service (DoS) attacks.
Stealing CD keys.
"Securing" the machine by removing network shares.
Attacking other systems using various exploits.
The tool consists of the following files:
worm.exe (113507 bytes) -- an installer which creates
This threat is listed on the other AV Sites as:-
None noted at this time.. 10:35hrs UTC August 3rd
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
August 4th, 2003, 05:47 AM
Thanks for the heads up I will pass this on to other people