Help - Search - Members - Calendar
Full Version: Sorry if this is posted some place
BleepingComputer.com > Security > Breaking Virus & Security News
   
The Bear
Sep 19 2004, 03:22 PM
This is from another forum I am on


We have a possible issue and it could be very serious.

There is a new trojan, and it carries an IRC bot. Apparently these bots are gathering for a massive attack on the world's major DNS servers. Last count is over 300,000 bots with more coming.

FBI has been made aware of this and is taking this possibility very seriously.

Please be aware and let other admins/mods/security people know.

FBI's website is currently under attack.


iexplorer.exe is the modified mirc, Symad.exe is wget, lysl.exe is pv, tuqa.dll and rebot.dll are mirc dlls
fax.cat is the main mirc script used for the bot


This virus adds the following files:

c:\WINDOWS\uninstyler.exe
Date: 10/1/2002 10:33 PM
Size: 51 200 bytes
c:\WINDOWS\SYSTEM\adsýz.WMV
Date: 9/17/2004 9:13 PM
Size: 526 056 bytes
c:\WINDOWS\SYSTEM\calc.hlp
Date: 8/28/2004 2:17 PM
Size: 1 141 bytes
c:\WINDOWS\SYSTEM\cclob.dll
Date: 8/28/2004 2:02 PM
Size: 535 bytes
c:\WINDOWS\SYSTEM\fdisk.chm
Date: 9/16/2004 7:22 PM
Size: 259 bytes
c:\WINDOWS\SYSTEM\gamedll.dll
Date: 9/16/2004 12:58 PM
Size: 1 265 bytes
c:\WINDOWS\SYSTEM\HaGe.dll
Date: 4/6/2004 6:47 PM
Size: 481 bytes
c:\WINDOWS\SYSTEM\HFrom.dll
Date: 8/13/2004 6:23 PM
Size: 411 bytes
c:\WINDOWS\SYSTEM\Hhell.dll
Date: 9/16/2004 2:22 PM
Size: 365 bytes
c:\WINDOWS\SYSTEM\HJob.dll
Date: 4/6/2004 6:49 PM
Size: 199 bytes
c:\WINDOWS\SYSTEM\HName.dll
Date: 4/6/2004 6:52 PM
Size: 238 bytes
c:\WINDOWS\SYSTEM\HNas.dll
Date: 8/13/2004 6:17 PM
Size: 1 570 bytes
c:\WINDOWS\SYSTEM\HNbr.dll
Date: 4/6/2004 6:44 PM
Size: 858 bytes
c:\WINDOWS\SYSTEM\HNerd.dll
Date: 4/6/2004 6:53 PM
Size: 75 bytes
c:\WINDOWS\SYSTEM\iexplorer.exe
Date: 8/10/2004 11:37 PM
Size: 1 731 584 bytes
c:\WINDOWS\SYSTEM\kernel32.chm
Date: 9/16/2004 1:16 PM
Size: 187 bytes
c:\WINDOWS\SYSTEM\korss.dll
Date: 8/13/2004 11:52 AM
Size: 2 182 bytes
c:\WINDOWS\SYSTEM\lysl.exe
Date: 5/1/2002 3:32 PM
Size: 25 600 bytes
c:\WINDOWS\SYSTEM\Mread.dll
Date: 4/17/2004 1:36 PM
Size: 121 bytes
c:\WINDOWS\SYSTEM\mrsn.exe
Date: 9/17/2004 2:06 PM
Size: 39 936 bytes
c:\WINDOWS\SYSTEM\Mxdll.dll
Date: 8/15/2004 1:59 AM
Size: 259 bytes
c:\WINDOWS\SYSTEM\MXzir.dll
Date: 9/17/2004 5:46 PM
Size: 935 bytes
c:\WINDOWS\SYSTEM\networs.exe
Date: 8/11/2004 3:42 PM
Size: 1 120 bytes
c:\WINDOWS\SYSTEM\ping.chm
Date: 8/11/2004 3:04 PM
Size: 502 bytes
c:\WINDOWS\SYSTEM\ping.hlp
Date: 9/17/2004 9:15 PM
Size: 2 721 bytes
c:\WINDOWS\SYSTEM\rebot.dll
Date: 8/14/2002 3:27 PM
Size: 10 240 bytes
c:\WINDOWS\SYSTEM\reshard.exe
Date: 8/13/2004 11:13 AM
Size: 766 bytes
c:\WINDOWS\SYSTEM\restore.hlp
Date: 8/11/2004 3:21 PM
Size: 1 523 bytes
c:\WINDOWS\SYSTEM\rmtkl.dll
Date: 8/13/2004 12:36 PM
Size: 6 561 bytes
c:\WINDOWS\SYSTEM\Symad.exe
Date: 7/1/1999 6:36 PM
Size: 162 816 bytes
c:\WINDOWS\SYSTEM\system.dll
Date: 9/17/2004 5:48 PM
Size: 32 bytes
c:\WINDOWS\SYSTEM\tuqa.dll
Date: 1/26/2004 1:40 AM
Size: 40 960 bytes
c:\WINDOWS\SYSTEM\uninstall.uni
Date: 9/18/2004 10:07 AM
Size: 1 289 bytes
c:\WINDOWS\SYSTEM\users.chm
Date: 8/15/2004 12:38 AM
Size: 559 bytes
c:\WINDOWS\SYSTEM\vxays.sys
Date: 8/11/2004 3:12 PM
Size: 1 305 bytes
c:\WINDOWS\SYSTEM\welcome.chm
Date: 8/15/2004 1:54 AM
Size: 30 bytes
c:\WINDOWS\SYSTEM\Xdbleep.vxd
Date: 6/22/2004 10:19 AM
Size: 228 bytes
c:\WINDOWS\SYSTEM\yeter.txt
Date: 8/13/2004 7:08 PM
Size: 248 bytes
c:\WINDOWS\SYSTEM\zerz.dll
Date: 8/15/2004 1:55 AM
Size: 80 bytes
c:\WINDOWS\SYSTEM\COLOR\frresh.icm
Date: 9/16/2004 12:44 PM
Size: 480 bytes
c:\WINDOWS\SYSTEM\COLOR\Windows.icm
Date: 8/11/2004 1:28 AM
Size: 178 550 bytes
c:\WINDOWS\SYSTEM\COLOR\Windows-Xp.icm
Date: 9/17/2004 5:34 PM
Size: 341 bytes
c:\WINDOWS\SYSTEM\Drivers\fax.cat
Date: 9/17/2004 9:15 PM
Size: 25 942 bytes
c:\WINDOWS\SYSTEM\Drivers\Symca.cat
Date: 8/11/2004 1:41 AM
Size: 985 bytes

There will be a permanent connection to either irc.zurna.net or irc.e-kolay.net, as well as random connections to various IRC servers and possibly M$N too

There is an uninstaller, no clue if it'll work, the value is "My Application" with the command line C:\WINDOWS\uninstyler.exe "C:\WINDOWS\SYSTEM\uninstall.uni"

looks like someone didn't config the installer properly.

This has a potential for a massive attack, I counted 10000 bots at e-kolay, so far all the proxies I've used were glined from zurna.
Grinler
Sep 19 2004, 07:57 PM
Yeah I saw that , but have not seen any on the logs here as of yet.

Thanks for the post though
ChrisRLG
Sep 20 2004, 04:25 AM
Update

Has been over hyped.

JackB last extimatre 15k not 800k.

Check posts in BootCamp and Classroom
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.