[7867] in bugtraq
Fwd: [ISN] Another BO detector that is actually a trojan
daemon@ATHENA.MIT.EDU (Reuben Yau)
Thu Sep 3 14:06:41 1998
Date: Thu, 3 Sep 1998 13:00:11 +0100
Reply-To: Reuben Yau <Reuben.Yau@INTERNAL.DIRCON.NET>
From: Reuben Yau <Reuben.Yau@INTERNAL.DIRCON.NET>
To: BUGTRAQ@NETSPACE.ORG
Not sure if this has already been posted here.
cheers
Reuben
>X-Authentication-Warning: obscure.sekurity.org: majordomo set sender to
owner-isn@sekurity.org using -f
>Date: Wed, 2 Sep 1998 05:54:21 -0600 (MDT)
>From: mea culpa <jericho@dimensional.com>
>To: InfoSec News <isn@sekurity.org>
>Subject: [ISN] Another BO detector that is actually a trojan
>X-NoSpam: Pursuant to US Code; Title 47; Chapter 5; Subchapter II; 227
>X-NoSpam: any and all nonsolicited commercial E-mail sent to this
address
>X-NoSpam: is subject to a download and archival fee in the amount of
$500 US.
>X-NoSpam: E-mailing to this address denotes acceptance of these terms.
>X-Noarchive: YES
>X-Copyright: This e-mail copyright 1998 by jericho@dimensional.com
>Sender: owner-isn@sekurity.org
>Reply-To: mea culpa <jericho@dimensional.com>
>x-unsubscribe: echo "unsubscribe isn" | mail majordomo@sekurity.org
>x-infosecnews: x-loop, procmail, etc
>
>
>Forwarded From: Ken Williams <jkwilli2@UNITY.NCSU.EDU>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>Hi,
>
> I recently came across a program called "BoSniffer.zip" that the
>author claims will "block key points in the registry from BO as well as
>search for existing installs of the backdoor."
>
> Close examination has revealed that this is actually a BO server
>with the "SpeakEasy" plugin installed. If you run "BoSniffer.exe", the
>BoSniffer executable (read: BO Server Trojan w/ SpeakEasy) will
"attempt
>to log into a predetermined IRC server on channel #BO_OWNED with a
random
>username. It then proceeds to announce its IP address and a custom
>message every few minutes."
>
> This program, "BoSniffer.zip" is currently being widely
distributed
>as a "cure for Back Orifice infections". It is probably being
distributed
>with other software packages and with other names too. Listed below
are
>relevant details about this program.
>
>
>File Sizes (in bytes)
>---------------------
>231068 BoSniffer.exe
>108573 BoSniffer.zip
>
>MD5 fingerprints and strings (checksums)
>----------------------------------------
>MD5 (BoSniffer.zip) = 2d75c4ac54b675778ff22f76f9a6a77f
>MD5 ("string") = b45cffe084dd3d20d928bee85e7b0f21
>
>MD5 (BoSniffer.exe) = 63748087b2e1598fcf34498b0295212e
>MD5 ("string") = b45cffe084dd3d20d928bee85e7b0f21
>
>
>Evidence that BoSniffer.zip is really BO Server with SpeakEasy Plugin
>---------------------------------------------------------------------
>sector 0x028C38
>irc.lightning.net:7000:Hey MASTER where are u!!!
>
>sector 0x0303F0 - sector 0x0306D8
>BO ButtPlugs and goodies...http://www.netninja.com/bo.html
>AJ Reznor: The pierced, tattooed grand master god of flame wars!
>Who is John Galt?
>Yes, you too can own my box with this special introductory offer of
$0.00!
>I'm sad to see Kontrol Faktory go away.
>Use Linux!
>This box is now property of the Illuminati.
><<tap>> <<tap>> <<tap>>...Is this thing on?
>Where do *YOU* want to go today?!
>
>sector 0x031848
>SpeakEasy.dll
>
>sector 0x0318A8 - sector 0x031980
>#BO_OWNED with IRC commands:
>Own Me @ .NOTICE .JOIN #BO_OWNED host server :Owned USERNICK BO
>.QUIT Psssst...Speakeasy was told to shut down
>.NOTICE #BO_OWNED :Psssst...Speakeasy just started up
>
>
>You get the idea by now, hopefully.
>
>Instructions on removing BO Servers from compromised servers can be
>found at: http://www.iss.net/xforce/alerts/advise5.html
>or by searching through the NTBUGTRAQ archives at:
>http://ntbugtraq.ntadvice.com/archives/
>
>If anyone wants a copy of BoSniffer.zip for further examination, send
>email to Packet Storm Security at PacketStorm@Genocide2600.com
>Please note that we will disregard any non-corporate or suspicious
>requests.
>
>Regards,
>
>Ken Williams
>
>Packet Storm Security
http://www.Genocide2600.com/~tattooman/index.shtml
>E.H.A.P. Corporation http://www.ehap.org/ ehap@ehap.org info@ehap.org
>NCSU Comp Sci Dept http://www.csc.ncsu.edu/
jkwilli2@adm.csc.ncsu.edu
>PGP DSS/DH/RSA Keys
http://www.genocide2600.com/cgi-bin/finger?tattooman
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 5.0i for non-commercial use
>Charset: noconv
>
>iQEVAwUBNerX1ZDw1ZsNz1IXAQF5UQf/VygM5JDLYU7TiDQn6Isa3sC9glgrGumU
>snhykpFm3b4lYYnoZY+PQUabptp8KWfvB4Hf/4vc3sDJca62Zzh1QRgAzOnWbcPl
>fA7+eQNn+bVn6k91TIaEfllhA4CMB/U8L21pPBIuL4KYOmPyB/qXprRyqrg06AQ7
>KsdZ5krEYxrSVHJa1TcFws1OCoQeK7sX9C3x/Ys9v42k3nGthVJw3UAXTCisf3av
>glUe0jvDsMGtT9pFnq9Mg/iHeMA+uHMOGjkdU9/PDDunJ9DBht49ZLLAxdfy6nYH
>5PuQMH268XsCDbT/aFxYem8iYe8oPDgGDFFQSQ4j8bLjQR+RpPr5Aw==
>=c3QA
>-----END PGP SIGNATURE-----
>
>-o-
>Subscribe: mail majordomo@sekurity.org with "subscribe isn".
>Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
>
