on doing the rounds i thought id return to my old network and put across some of my findings

Many users and admins will notice the neusance visiting irc networks to pm users, offering a link to a webcam.

info : http://secure.irc-chat.net/info.php?viri=WebCamSpam

Well a few weeks ago the network i admin on started getting visits from spambots, so i investigated further and decided to infect my xp machine in a closed enviroment.

##The Basics
The bots connect using random char unames and masks, and register their nick on each change

-- *** Notice -- Client connecting on port 6667: ECTMA|CX (QMRsUaRstm@xx.xx.xx.xx) [clients]

- *** Global -- from NickServ: Nick ECTMA|CX is registered to QMRsUaRstm@*.FA3EB6A3.65E7E314.IP

the register process is to allow the bot to send pm`s (some networks require this)

<SecureServ> OnJoin Bot Bob Received Private Message from sAd\Ji: Come watch me on my webcam and chat /w me :-) http:/xxx.xxx.xxx.xxx:1126/me.mpg


## Infection (this is why you are warned not to click links youare unsure of)

The link infact is a forward which enters IE, into a SSL zone (cert not valid) and thats where the fun starts

Msupdater.exe is added into startup folder, apon next reboot runs, MSupdater.exe asks for access, and starts the process (deleted soon after)

then the winshow infection begins. (http://www.kephyr.com/spywarescanner...ow/index.phtml)

Registry entries are added (see link for details) and port 1033 tcp (netspy) is opened

apon the registry values being removed the the port is no longer opened.

Many Thanks
Pr33p

Credit to Secureserv for making my life easlier, All of the firewirez.net crew.