[unisog] Yay Malware

micheal.cottingham at sv.vccs.edu micheal.cottingham at sv.vccs.edu
Fri Jan 12 16:29:31 GMT 2007


That's one of the IP addresses I've seen. Here's a few logs from that IP:

01/11/2007 08:51:41 AM	3293: IRC: NICK/USER Registration Request	Security
Policy	Block	[scrubbed]	4567	61.100.5.195	13697	[scrubbed]	[scrubbed]	Low	0	
01/11/2007 08:48:27 AM	3293: IRC: NICK/USER Registration Request	Security
Policy	Block	[scrubbed]	1192	61.100.5.195	13697	[scrubbed]	[scrubbed]	Low	0	
01/11/2007 08:38:54 AM	3293: IRC: NICK/USER Registration Request	Security
Policy	Block	[scrubbed]	3638	61.100.5.195	13697	[scrubbed]	[scrubbed]	Low	0	
01/11/2007 08:35:16 AM	3293: IRC: NICK/USER Registration Request	Security
Policy	Block	[scrubbed]	3491	61.100.5.195	13697	[scrubbed]	[scrubbed]	Low	0	
01/11/2007 08:31:16 AM	3293: IRC: NICK/USER Registration Request	Security
Policy	Block	[scrubbed]	3266	61.100.5.195	13697	[scrubbed]	[scrubbed]	Low	0	


I haven't seen anything from today yet. I'll second that request for a copy
if anybody has it. I'd like to take a look at it as well.

Micheal

Original Message:
-----------------
From: John H. Sawyer jsawyer at ufl.edu
Date: Fri, 12 Jan 2007 11:07:14 -0500
To: micheal.cottingham at sv.vccs.edu, unisog at lists.dshield.org
Subject: Re: [unisog] Yay Malware


micheal.cottingham at sv.vccs.edu wrote:
> What kind of traffic? Past couple of days I've seen a surge of IRC traffic
> to various Korean IP addresses all on port 13697. I haven't been able to
> track it down yet. I don't know if it is related or not.

The following is a trace going to Korea on the port you mentioned but I
don't have a copy of the malware. If someone wants to send me a copy of
Yay, I'll test it and provide traffic analysis.

Server: 61.100.5.195:13697

JOIN ##1ntrud3r plz
MODE [P00|USA|74498] -x+i
JOIN ##1ntrud3r plz
MODE [P00|USA|74498] -x+i
JOIN ##1ntrud3r plz
:sv-6.stat1c.net 332 [P00|USA|74498] ##1ntrud3r :
:sv-6.stat1c.net 333 [P00|USA|74498] ##1ntrud3r lol 1168402553
PING :sv-6.stat1c.net
PONG sv-6.stat1c.net
PING :sv-6.stat1c.net
PING :sv-6.stat1c.net
PONG sv-6.stat1c.net
PING :sv-6.stat1c.net



-jhs

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .





More information about the unisog mailing list