[unisog] Anyone recognize what this one is?

Peter Van Epp vanepp at sfu.ca
Thu Aug 7 14:59:00 GMT 2003


	My windows person doesn't think the files he has match the description
of this one. He is considering sending it along to one of the antivirus vendors
as possibly a new one. I sent a heads up to the target of the IRC connection 
and the admin there says he is seeing a fair number of attempts to connect
to the server which apparantly doesn't exist on his site, so it looks to 
perhaps be more than just us. We don't know how this infection happened
because its a laptop and we believe it was infected at home on the cable 
network (if it had been here, argus would at least have a record of the 
incoming connections). The network it was on here can't get out to the net
and the attempt to connect to the IRC server is what got it caught, so I also
can't tell if it would have connected to the IRC server and no one else from
here has tried in the last week or so.

Peter Van Epp / Operations and Technical Support 


On Thu, Aug 07, 2003 at 08:28:53AM -0400, Stephanie Hagopian wrote:
> It's most likely Backdoor.IRC.Flood.F--it came out a few days ago and 
> comes in through port 6667 and exploits weak passwords via IRC. Check 
> out the Symantec link:
> 
> http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood.f.html
> 
> -- 
> Stephanie Hagopian
> IT Security Analyst
> University of North Carolina-Chapel Hill
> 105 Abernethy Hall
> 
> mailto:shagopia at unc.edu
> 
> https://www.unc.edu/security/staff/shagopia



More information about the unisog mailing list