on doing the rounds i thought id return to my old network and put across some of my findings
Many users and admins will notice the neusance visiting irc networks to pm users, offering a link to a webcam.
info : http://secure.irc-chat.net/info.php?viri=WebCamSpam
Well a few weeks ago the network i admin on started getting visits from spambots, so i investigated further and decided to infect my xp machine in a closed enviroment.
##The Basics
The bots connect using random char unames and masks, and register their nick on each change
-- *** Notice -- Client connecting on port 6667: ECTMA|CX (QMRsUaRstm@xx.xx.xx.xx) [clients]
- *** Global -- from NickServ: Nick ECTMA|CX is registered to QMRsUaRstm@*.FA3EB6A3.65E7E314.IP
the register process is to allow the bot to send pm`s (some networks require this)
<SecureServ> OnJoin Bot Bob Received Private Message from sAd\Ji: Come watch me on my webcam and chat /w me :-) http:/xxx.xxx.xxx.xxx:1126/me.mpg
## Infection (this is why you are warned not to click links youare unsure of)
The link infact is a forward which enters IE, into a SSL zone (cert not valid) and thats where the fun starts
Msupdater.exe is added into startup folder, apon next reboot runs, MSupdater.exe asks for access, and starts the process (deleted soon after)
then the winshow infection begins. (http://www.kephyr.com/spywarescanner...ow/index.phtml)
Registry entries are added (see link for details) and port 1033 tcp (netspy) is opened
apon the registry values being removed the the port is no longer opened.
Many Thanks
Pr33p
Credit to Secureserv for making my life easlier, All of the firewirez.net crew.