Cisco reference in Fw: Analyse Worm18000

Patrick Nolan pnolan01 at nycap.rr.com
Sat Jun 22 11:09:52 GMT 2002


fwiw, the cisco information is quite interesting.

Pat
***snipped from below***
[cisco.ini]
Scans for cisco enabled/consoled routers (open port 23),  sends string: consolepass, enable,  enablepass'
Found consoled routers are saved to: scan\consoled.txt
Found enabled routers are saved to: scan\enable.txt
Usage:  !ciscoscan [stop(optional)] IP range (XX.XX.)
***end snip***

----- Original Message ----- 
From: "Wesley" <ipfw at wanadoo.nl>
To: <incidents at securityfocus.com>
Sent: Saturday, June 22, 2002 1:08 AM
Subject: Analyse Worm18000


I made a fast & small analyse of the Worm1800.exe.


When running the file, its adds an entry to the register: 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\FONTS\FONTS\BAH\THIS\IS\TOO\EASY\HAH\WHVLXD.EXE




.%windowsfonts%\fonts\bah\this\is\too\easy\hah\ 

[PR.ini]
On start, It chekcs if the 'Hidefile' temp2.exe exists, else its closes down the IRC client.
If the file exists, it connects to the server: my-mom-says-im-a.linux-dude.com port: 6667 using a random nickname, from the 
TEMP.SCR file.
Checks if port 9000 is free on the machine, then opens it. If port 9000 is not free it closed down the mIRC file. (not sure 

what this is for)
some commands:
!login <password> - password is:  BotNet (grants you 'master' access)
It has a build in bouncer function.
Also this 'file' seems to be some kind of update for older versions of this script.
It checks for files such as: 
C:\WINDOWS\INF\g\temp.scr
C:\WINDOWS\bero\mirc.ini
C:\WINDOWS\web32\rb.exe
And removes them.
Other things it has, a simple portscanner, flood clones, channel commands.



[MIRC.INI]
'config' file for the mIRC client.

[GATES.TXT] 
FIle with open proxies/wingates.


[TEMP.SCR]
File with random nicknames.
 
[mirc2.ini]
'Command scripts' - DOnt have time to list them all right now.
It chekcs if the 'Hidefile' temp2.exe exists, else its closes down the IRC client.
Some interesting  commands are:
!Packet IP Ammount - uses ping.exe.
!wingate.load - uses the gates.txt file.
!fileserver.access - Opens up a fileserver, sharing c:\
!credits - returns: msg # %logo Credits:[To: Info_Hacker - Exter(MicroTech) - Silic0n0] %logo
!ver - returns: msg # %logo «By» «Info_Hacker» - «Version» «3.0»
Rest of the comamnds are some basic operator & CTCP flood attacks, nothing fancy. 

[WHVLXD.DAT] 
Think this file checks if the entry was added into the register, not sure.

[WHVLXD.EXE]
No idea.

[infonet.mrc]
Simple  mail bomber.
Usage:  !Mail-Bomb <mailserver> <to> <subject> <message>

[moo.dll]
See sysinfo.mrc.

[scan.txt]  
Scans people onjoin for port 27374 (sub7), 1243 (old sub7 port), 12345 (netbus)
Messages the main channel when open port is found.
usage: !Tscan [start/stop/help]

[cisco.ini]
Scans for cisco enabled/consoled routers (open port 23),  sends string: consolepass, enable,  enablepass'
Found consoled routers are saved to: scan\consoled.txt
Found enabled routers are saved to: scan\enable.txt
Usage:  !ciscoscan [stop(optional)] IP range (XX.XX.)

[sysinfo.mrc]
sysinfo.mrc tells you what type of Cpu you have, shows memory and free memory, screen resolution and Operating system by 

reading the moo.dll file.

[remote.ini]
variables 

[TEMP2.exe]
Hides/Reveals the mIRC client

[infonet2.ini]
some simple scripts & commands.
(bouncer/portscanner/(CTCP/PRIVMSG)floods) 

[temp2.exe]
'HideFile' hides the mIRC client. 

[spam.mrc] 
Spam script, message person who joins channel client is in.
usage: !Spam Server Port Message







----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





More information about the unisog mailing list