[8105] in bugtraq
Re: Internet Wide DOS Attack using IRC
daemon@ATHENA.MIT.EDU (Kameron Gasso)
Fri Oct 2 19:31:51 1998
Date: Fri, 2 Oct 1998 15:55:18 +0000
Reply-To: Kameron Gasso <root@LOCKDOWN.NET>
From: Kameron Gasso <root@LOCKDOWN.NET>
X-To: dbarba <dbarba@GEOCITIES.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <361547BC.F37606C4@geocities.com>
This might be an unreleased Back Orifice plugin from an internet user who
dislikes GeoCities (only speculation). Odds are, it was distributed
widely over IRC in a Warez package or something similar.
> The complete content of the 5845 directory was: nfo.zip, nfo.jpg,
> servers.zip, servers.jpg, users.zip and users.jpg. When I looked at
> the
> binary files by doing a cat, the users jpg & zip files were the
> same, but the
> other files were all unique.
From the names of those files, I'd guess that's a warez pup's account.
Then again, who knows.
> We did find an entry in his registry with the following setting:
>
> /microsoft/windowsexplorer/doc/find/spec/mru
> a) " "
> b) 5845
> c) nfo
> d) bo
> e) nfo.zip
> f) winrar
> g) msvbvm60.dll
> h) loadwc
> i) stargate
> j) area51
> mrulist) eadcbjihgf
What's the full name of that registry key? The file msvbvm60.dll looks
like a Visual BASIC runtime library, possibly a Back Orifice plugin of
some sort.
> I also asked our ISP to help track some of this and this was their
> result. "All the IP's
> I've scanned so far from the log have several UDP ports open in the
> 31337 range
> (what Back Orifice uses)."
This is also why I think it may be a BO plugin. Unfortunately, these
users have no idea they're helping attack a server, and probably wouldn't
suspect a thing.
>
> So, we really need to find the source instead of asking everyone to
> reinstall their OS. It might also be necessary to inform the various
>
> virus-detection software vendors to try to eradicate this from all of
>
> the machines that currently have it installed.
If it's Back Orifice, some virus scanners will already pick it up. This
still doesn't solve the problem of the plugin, which can be stored in any
file type, text, dll, or binary.
If you do find what it is, please let me know, as I myself am curious.
Thank you.
Sincerely,
Kameron Gasso
Direct legitimate replies to krg@lockdown.net - Flames, spams, etc. will
be handled by the little green monster named /dev/null I keep locked away
in my dungeon.
