[Dshield] headers of MS patch

Micheal Patterson micheal at tsgincorporated.com
Tue Sep 23 05:23:32 GMT 2003


Maybe it's just me, but this thing looks like it may be geared to use any
number of outbound connected services. I got hold of this thing on my unix
box and ran a strings command against it to see what it held, check this
out:

HEAD %s
RCPT TO: <%s>
QUIT
DATA
MAIL FROM: <%s>
HELO %s
-------------

That tells me that it's got a built in smtp client. Nothing new here.

--------------

Content-Type: audio/x-
</BODY></HTML>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
to <B>%s@%s</B>
mail
message
<BR><BR><BR>Undelivered
<BR><BR><BR>Undeliverable
to one or more destinations.<BR>
to the following addresses:<BR>
the message returned below could not be delivered =
I wasn't able to deliver your message =
<BR>I'm afraid =
<BR>I'm sorry to have to inform you that =
<BR>I'm sorry =
<BR>
<BR>Message from
<BR>This is the qmail program<BR>
<BR><BR>Hi.
" height=3D0 width=3D0></iframe>
<iframe src=3D"cid:
<HTML>
<HEAD></HEAD>
<BODY>
Mime-Version: 1.0
Content-Type: multipart/alternative;
        boundary="

--------
This tells me that it pretends to be a qmail error. This isn't new either.
--------

It appears to attempt a web connection to the following location:

GET http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus&width=6&set=cnt006
HTTP/1.0

--------

It also appears to attempt to spread itself via usnet news:

[%s:%c]
 GMT
NEWNEWS %s %02u%02u%02u %02u%02u%02u
LISTGROUP %s
reply-to:
from:
POST

----

Also, it appears to attempt to spread via IRC via the below on:join
function:

n3=}
[script]
n0= on 1:JOIN:#:{
n1= /if ( $nick == $me ) { halt }
n2= /.dcc send $nick "
\script.bcp
\script.ini
\mirc.ini
\mirc32
\mirc

----

And also touch Kazza in some fashion.

Kazaa Infect
Dir99
DlDir0
\Transfer
DownloadDir
DisableSharing
\LocalContent
Software\Kazaa

---

Maybe I'm way off base on what I'm seeing, but this doesn't look at all
pleasant. This in from the file PATCH934.exe and Q148934.exe.

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600




More information about the list mailing list