[Full-Disclosure] is there a new virus?
matthew at textbox.net
Thu Jun 19 09:49:37 BST 2003
I have noticed an increase in irc bots using spreader methods, I came
across one recently that was bombing my IP over and over:
Typical mIRC DDoS bot:
dosusal.exe (mIRC executable)
index.html (for web stats)
markmewd.exe (hide startup)
ox.ocx (main script file)
proxy.exe (starts proxies)
quale.dll (edited moo.dll)
After checking it out it seems to have syn attacks, starting a proxy
server,e-mail spreading, sql spreading, iis spreading, netbios/local
network spreading, icq messaging.
The spread file is named trashmanx.exe ~ index.html links to
Matt <matthew at textbox.net>
On Thu, 2003-06-19 at 03:27, Philip Stortz wrote:
> is there a new virus out there or an old one spreading like wild fire? i've been getting a huge number of attempts to initiate a "netbios" session, from ip's all over the place. i'm on a slow dialup with a dynamic ip, and i got attempts from over 2 dozen ip #'s in just a few hours of use over several sessions with different ip's. since i use a mac, they aren't too much of a problem, except that they greatly slow things down and sometimes do crash programs. i've been putting all the offending machines in the stop list of my firewall, but the shear volume and ferocity of these attempts is amazing. some of them try 3 or 6 times in rapid succession, and repeat every few minutes. i've been seeing a lot more incursion attempts on other ports as well. i'm very curious about what's going on, and i suspect that many machines out there are being infected and that the netbios session is just the beginning of a virus that will do something else once it's co-opted enough machines
> i.e. a DOS attack or something else nasty (or if it continues to grow, just a traffic jam on the back bone). has any one heard of something new or old coming back? sometimes they start when i've just dialed in and downloaded my email before surfing beyond my isp at all, so they must just be hunting for machines, aggressively.
> along the same lines, there's a machine at 184.108.40.206 that's been randomly throwing packets at me (and likely many "random" addresses) several times a day. i've complained and asked for an explanation (no one else out there seems to find it necessary to randomly talk all the time) of what's going on and why. any information would be appreciated, if nothing else so i know why this is being done. that domain belongs to at&t, so i guess it might be some kind of diagnostic scan, but it's certainly obnoxious, and i have blocked that ip as well. i block any ip that tries to talk to me before i talk to them, there are no servers here obviously and all traffic slows down my connection and occasionally causes problems (doubtless some of the problems are with how my isp handles the traffic... and some may be stack overflows or other faults). these communication attempts (unfortunately my current firewall doesn't save the packets so i can't really tell what's happening) often
> ccur several times in a few seconds, and happen several times a day (or even several times in an hour). they are sometimes netbios sessions, but usually on port 1214, which apparently is used by some viruses/worms/trojans. i'd really, really like to know what's going on, and as you'd expect att has been useless and failed to even respond.
> any help/explanation of either of these problems would be greatly appreciated.
Full-Disclosure is hosted and sponsored by Secunia.