WARNING!!! IRC Possible Virus Carrier

Installing, Configuring & Operating MeginJarder

Moderator: Trekman

Locked
Kazsam
Professional Farmer
Professional Farmer
Posts: 1229
Joined: Fri Jan 31, 2003 5:28 pm

WARNING!!! IRC Possible Virus Carrier

Post by Kazsam » Thu Sep 11, 2003 2:58 pm

Found this on my PC today, bastid to get rid of, only IRC i use is meginjarder, so just a heads up to look out for it!


Virus type: Worm

Destructive: No

Aliases: W32.Spybot.Worm, Worm.P2P.SpyBot.gen, Win32.HLLW.SpyBot, Worm.SpyBot.BH

Pattern file needed: 629

Scan engine needed: 6.150

Overall risk rating: Low

--------------------------------------------------------------------------------

Reported infections: Low

Damage Potential: High

Distribution Potential: Medium



--------------------------------------------------------------------------------

Description:



This memory-resident worm propagates via network shares and has several backdoor capabilities.

It connects to an Internet Relay Chat (IRC) server where it receives the following commands from a remote user to process on compromised machine:

Steal Windows cached passwords
Remotely activate a key logger
Act as HTTP Web page server
Open and close CD-ROM tray
Scan ports
Download file(s)
Perform Denial of Service (DOS) attack against other systems
List and terminate running processes
List system information
Browse files on the compromised system
Execute a file remotely
It allows malicious user to install copies of itself in several startup folders using the following file names:

BRITNEY_SPEARS_GAME.EXE
FILE.EXE
EXPLORER.EXE
To make the cleanup difficult, it terminates the following processes:

NETSTAT.EXE
TASKMGR.EXE
MSCONFIG.EXE
REGEDIT.EXE
This UPX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP systems.

User avatar
Panzerfaust
Monarch
Posts: 8698
Joined: Fri Jan 17, 2003 12:26 am
Location: Florida

Post by Panzerfaust » Thu Sep 11, 2003 2:59 pm

Man! I wanted to play the Brittney game.


Thanks Kaz
[img]htttp://lastdynasty.net/pics/panzersig.jpg[/img]

Adversity has the effect of eliciting talents, which, in prosperous circumstances, would have lain dormant. -Horace

Kazsam
Professional Farmer
Professional Farmer
Posts: 1229
Joined: Fri Jan 31, 2003 5:28 pm

Post by Kazsam » Thu Sep 11, 2003 3:00 pm

BTW I DO NOT HAVE A BRITNEY SPEARS GAME!!!!!!!!!!!!! :oops: :oops: :oops:

User avatar
Trekman
Meginjarder Admin
Posts: 1533
Joined: Fri Feb 14, 2003 4:33 pm
Location: Brigand Sands Cottages, Austria

Re: WARNING!!! IRC Possible Virus Carrier

Post by Trekman » Thu Sep 11, 2003 11:00 pm

Kazsam wrote:Found this on my PC today, bastid to get rid of, only IRC i use is meginjarder, so just a heads up to look out for it!
http://securityresponse.symantec.com/av ... .worm.html

This article only mentions mIRC as possible IRC client to be used by the worm. Anyway caution is advised also when using MJ, ElComs, dIRCal,....

It also mentions the KAZAA network as possible distributor. Do you use KAZAA ?

According to that article the worm had been discovered April 16th.
So the latest update of the antivirus software you hopefully use already should be able to block/handle that worm ?!
[img]http://members.chello.at/trekman/1701bop.gif[/img]
[b][url=http://mj.lastdynasty.net/stats/meginch ... the+Axeman]Trekman the Axeman - Senior Skullsplitter and Master Of Slaughter[/url][/b]
Prim Trekmansun - Archer

Kazsam
Professional Farmer
Professional Farmer
Posts: 1229
Joined: Fri Jan 31, 2003 5:28 pm

Post by Kazsam » Fri Sep 12, 2003 7:17 am

No i do not use kazaa, and last virus check i did was 2 weeks ago. so have got it since then.#

Yeah there was a solution to rid it, after you spent hours trying to locate the infected files :(

Sorted now.

Locked