New M$ virus affects all versions of M$ Windows?!

[uraloony]

powertoad PMed me asking for gates.txt. Unfortunately, I have already discarded of it. Best I can do is describe what was in it for you. It was a simple text file with many, many IP addresses and servers listed. I am guessing gates.txt is the text file which keeps track of the addresses that the trojan can connect to. Hope this helps!

- uraloony

[cross]

Retoor:

some one already said whats in gates.txt...:
"Well, I scanned my comp and I was clean of all files except gates.txt. It was full of IP addies and server listings... Idk what it means. Oh well." posted abouve^

[mith]

Guys,
you are lucky, I had that virus. I cleaned all files and moved them to a safe place. The gates.txt was one of the first I opened, I thought I would have found something funny, but it wasn't. It' another configuration file.

Check out this other thread I had started:
http://www.antionline.com/showthread...hreadid=234448

It's the same virus.
On newbie.org (I saw a previous post about it) they describe it pretty well. I haven't understood how I took it, anyway... The first thing you should notice, if you have it, is that it runs a DOS program at startup, you will see a DOS window opening and closing quickly. If you check your ports you will also find an open port to an IRCd.

Regards,
Mith

[powertoad5000]

MS "solves" mystery of hacking spree

http://zdnet.com.com/2100-1105-957159.html

An advisory from the software giant last week warned companies of a number of attacks targeting servers running Windows 2000, the cause of which had initially puzzled Microsoft. After following a trail of evidence left behind on compromised Windows 2000 servers, the company now believes that hackers have systematically exploited Windows 2000 servers that haven't been properly locked down, rather than a hole in the operating system.

the software giant didn't explain why every computer attacked happened to be a Windows 2000 server. Insecure password problems affect all computers, not just a single version of an operating system.

Why this stinks:
(1) Still no explanation as to the function of 'gates.txt' - maybe it is just a configuration file - if it's IP addresses, is it possible that it is a list of all the compromised computers?
(2) There were a 'significant' number of compromises, yet it is put down to (a group of?) hackers... how many is 'significant'?
(3) From Mith's post, it sounds more like a virus/worm than a trojan that one has to use manually - that's just my n00b opinion.

Am I paranoid, or is there some merit to these ideas? What do you guys think?

[mith]

To me, it's a DoS attack script. I opened all files, there are a couple of executables: taskmngr.exe (the real prog) and mdm.exe (to hide execution of taskmngr.exe) and also psexec.exe that is needed to start the others.
All the other files *.dll and *.hlp are all mIRC scripts to join channels, list other clones and send attacks to remote PC's.

I'm at work now, I had the virus on my home PC, but I can tell you that I saw some lines in which, the attacker, could send a command on the public channel and the BOT would attack a remote host. There's even the syntax help that tells the attacker that he forgot the remote host IP or similar things.

There's also a strange file with a HUGE list of nicknames (typical IRC standard, such as TheUnd3rtak3r and so). When I got on IRC I searched for a few of those, but I couldn't find any.

Oh, another funny thing is that the default nickname for the BOT was a simple nick, something like "The_cute_one", but then there's a line to generate a random nick. When I got on IRC I searched for "The_cute_one" and was online.. He didn't answer my messages and I couldn't see in which channel he was, of course.

If gates.txt is so interesting to the group, I can paste it.

Something you might care about, also, is that the script tries to catch your wp_ftp and flashfxp password file, it copies them into c:\winnt\system32 and notifies the channel of your local IP (and saves it into one of the .ini files).
Luckily I have a dynamic IP on my DSL, so I simply needed to turn off and on my router.

Laters,
Mith

[mrleachy]

gates.txt?
doesnt that sorta ring a bell? what about internet Gate(ways), they would most likely have static ip's, maybe it is some form of worm that is similar to code red a few months back?

just an idea, im not sure if it seems feasible to any of you guys though...

[MrLinus]

mrleachy was on track. A little poking about found this: http://vil.nai.com/vil/content/v_98936.htm

It doesn't surprised me that this so called "New M$ Virus" seems to been infecting servers although all could be affected. And poor password management is a valid reason, IMHO. When look at what was infecting the machines (older trojans and viruses -- this one here dating back to the fall of 200) you have to wonder if the administration is perhaps being lax in their antivirus updates and general administrative duties.

Perhaps if some of those admins had done a little visit to google or other places they might have found their answers.

[Und3ertak3r]

There's also a strange file with a HUGE list of nicknames (typical IRC standard, such as TheUnd3rtak3r and so). When I got on IRC I searched for a few of those, but I couldn't find any.

That would be right.. the-bloody-und3rtaker I wouldn't trust someone with that sort of nick..
would you??


Cheers

(Sry for wasting the space on this one)

[Sgt_B]

MsMittens: Poor administration had a heavy hand in this scenario, but how would you explain that Windows 2000 servers are the only affected servers.

However, the software giant didn't explain why every computer attacked happened to be a Windows 2000 server. Insecure password problems affect all computers, not just a single version of an operating system.

Taken from PowerToad's link here.

Like the article says, if this was only a weak password issue, then wouldn't we be seeing this same thing on all windows platforms not just 2000?

[MrLinus]

Let me ask you this: which will have more "valuable" info and more power? A Windows 98 Machine, Windows 95, Windows 2000 Professional or Windows 2000 Server?