Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sorry if this is posted some place


  • Please log in to reply
2 replies to this topic

#1 The Bear

The Bear

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:44 AM

Posted 19 September 2004 - 03:22 PM

This is from another forum I am on


We have a possible issue and it could be very serious.

There is a new trojan, and it carries an IRC bot. Apparently these bots are gathering for a massive attack on the world's major DNS servers. Last count is over 300,000 bots with more coming.

FBI has been made aware of this and is taking this possibility very seriously.

Please be aware and let other admins/mods/security people know.

FBI's website is currently under attack.


iexplorer.exe is the modified mirc, Symad.exe is wget, lysl.exe is pv, tuqa.dll and rebot.dll are mirc dlls
fax.cat is the main mirc script used for the bot


This virus adds the following files:

c:\WINDOWS\uninstyler.exe
Date: 10/1/2002 10:33 PM
Size: 51 200 bytes
c:\WINDOWS\SYSTEM\adsýz.WMV
Date: 9/17/2004 9:13 PM
Size: 526 056 bytes
c:\WINDOWS\SYSTEM\calc.hlp
Date: 8/28/2004 2:17 PM
Size: 1 141 bytes
c:\WINDOWS\SYSTEM\cclob.dll
Date: 8/28/2004 2:02 PM
Size: 535 bytes
c:\WINDOWS\SYSTEM\fdisk.chm
Date: 9/16/2004 7:22 PM
Size: 259 bytes
c:\WINDOWS\SYSTEM\gamedll.dll
Date: 9/16/2004 12:58 PM
Size: 1 265 bytes
c:\WINDOWS\SYSTEM\HaGe.dll
Date: 4/6/2004 6:47 PM
Size: 481 bytes
c:\WINDOWS\SYSTEM\HFrom.dll
Date: 8/13/2004 6:23 PM
Size: 411 bytes
c:\WINDOWS\SYSTEM\Hhell.dll
Date: 9/16/2004 2:22 PM
Size: 365 bytes
c:\WINDOWS\SYSTEM\HJob.dll
Date: 4/6/2004 6:49 PM
Size: 199 bytes
c:\WINDOWS\SYSTEM\HName.dll
Date: 4/6/2004 6:52 PM
Size: 238 bytes
c:\WINDOWS\SYSTEM\HNas.dll
Date: 8/13/2004 6:17 PM
Size: 1 570 bytes
c:\WINDOWS\SYSTEM\HNbr.dll
Date: 4/6/2004 6:44 PM
Size: 858 bytes
c:\WINDOWS\SYSTEM\HNerd.dll
Date: 4/6/2004 6:53 PM
Size: 75 bytes
c:\WINDOWS\SYSTEM\iexplorer.exe
Date: 8/10/2004 11:37 PM
Size: 1 731 584 bytes
c:\WINDOWS\SYSTEM\kernel32.chm
Date: 9/16/2004 1:16 PM
Size: 187 bytes
c:\WINDOWS\SYSTEM\korss.dll
Date: 8/13/2004 11:52 AM
Size: 2 182 bytes
c:\WINDOWS\SYSTEM\lysl.exe
Date: 5/1/2002 3:32 PM
Size: 25 600 bytes
c:\WINDOWS\SYSTEM\Mread.dll
Date: 4/17/2004 1:36 PM
Size: 121 bytes
c:\WINDOWS\SYSTEM\mrsn.exe
Date: 9/17/2004 2:06 PM
Size: 39 936 bytes
c:\WINDOWS\SYSTEM\Mxdll.dll
Date: 8/15/2004 1:59 AM
Size: 259 bytes
c:\WINDOWS\SYSTEM\MXzir.dll
Date: 9/17/2004 5:46 PM
Size: 935 bytes
c:\WINDOWS\SYSTEM\networs.exe
Date: 8/11/2004 3:42 PM
Size: 1 120 bytes
c:\WINDOWS\SYSTEM\ping.chm
Date: 8/11/2004 3:04 PM
Size: 502 bytes
c:\WINDOWS\SYSTEM\ping.hlp
Date: 9/17/2004 9:15 PM
Size: 2 721 bytes
c:\WINDOWS\SYSTEM\rebot.dll
Date: 8/14/2002 3:27 PM
Size: 10 240 bytes
c:\WINDOWS\SYSTEM\reshard.exe
Date: 8/13/2004 11:13 AM
Size: 766 bytes
c:\WINDOWS\SYSTEM\restore.hlp
Date: 8/11/2004 3:21 PM
Size: 1 523 bytes
c:\WINDOWS\SYSTEM\rmtkl.dll
Date: 8/13/2004 12:36 PM
Size: 6 561 bytes
c:\WINDOWS\SYSTEM\Symad.exe
Date: 7/1/1999 6:36 PM
Size: 162 816 bytes
c:\WINDOWS\SYSTEM\system.dll
Date: 9/17/2004 5:48 PM
Size: 32 bytes
c:\WINDOWS\SYSTEM\tuqa.dll
Date: 1/26/2004 1:40 AM
Size: 40 960 bytes
c:\WINDOWS\SYSTEM\uninstall.uni
Date: 9/18/2004 10:07 AM
Size: 1 289 bytes
c:\WINDOWS\SYSTEM\users.chm
Date: 8/15/2004 12:38 AM
Size: 559 bytes
c:\WINDOWS\SYSTEM\vxays.sys
Date: 8/11/2004 3:12 PM
Size: 1 305 bytes
c:\WINDOWS\SYSTEM\welcome.chm
Date: 8/15/2004 1:54 AM
Size: 30 bytes
c:\WINDOWS\SYSTEM\Xdbleep.vxd
Date: 6/22/2004 10:19 AM
Size: 228 bytes
c:\WINDOWS\SYSTEM\yeter.txt
Date: 8/13/2004 7:08 PM
Size: 248 bytes
c:\WINDOWS\SYSTEM\zerz.dll
Date: 8/15/2004 1:55 AM
Size: 80 bytes
c:\WINDOWS\SYSTEM\COLOR\frresh.icm
Date: 9/16/2004 12:44 PM
Size: 480 bytes
c:\WINDOWS\SYSTEM\COLOR\Windows.icm
Date: 8/11/2004 1:28 AM
Size: 178 550 bytes
c:\WINDOWS\SYSTEM\COLOR\Windows-Xp.icm
Date: 9/17/2004 5:34 PM
Size: 341 bytes
c:\WINDOWS\SYSTEM\Drivers\fax.cat
Date: 9/17/2004 9:15 PM
Size: 25 942 bytes
c:\WINDOWS\SYSTEM\Drivers\Symca.cat
Date: 8/11/2004 1:41 AM
Size: 985 bytes

There will be a permanent connection to either irc.zurna.net or irc.e-kolay.net, as well as random connections to various IRC servers and possibly M$N too

There is an uninstaller, no clue if it'll work, the value is "My Application" with the command line C:\WINDOWS\uninstyler.exe "C:\WINDOWS\SYSTEM\uninstall.uni"

looks like someone didn't config the installer properly.

This has a potential for a massive attack, I counted 10000 bots at e-kolay, so far all the proxies I've used were glined from zurna.
Computer help forums are full of those that go around the internet
clicking Willy Nilly and installing or downloading everything in site

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,718 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:44 AM

Posted 19 September 2004 - 07:57 PM

Yeah I saw that , but have not seen any on the logs here as of yet.

Thanks for the post though

#3 ChrisRLG

ChrisRLG

    Anti-Malware Teacher


  • Members
  • 44 posts
  • OFFLINE
  •  
  • Location:Essex, UK
  • Local time:12:44 PM

Posted 20 September 2004 - 04:25 AM

Update

Has been over hyped.

JackB last extimatre 15k not 800k.

Check posts in BootCamp and Classroom
ASAP member since 2004 - MS MVP member since 2005
Posted Image Posted Image Posted Image
My- computer Safety online - Article and others Texruss's Hijackthis FAQ
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users