Arlong Park Forums

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Users
    • Groups

    W32/IRCbot.worm!MS05-039

    Announcements
    11
    16
    6027
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • oceanizer
      oceanizer
      last edited by
      oceanizer
      spiral
      oceanizer
      spiral

      For Windows users…

      This threat scans for MS05-039 exploitable systems. When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8594. Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow is not prevented.

      You'll get infected without downloading anything. Yahoo! Japan reports some big US companies are also infected to this. Namely ABC News and CNN??
      http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html

      Please update your virus definition NOW!
      http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=135491

      To check if you're infected or not, Stinger is a good tool to check:
      http://vil.nai.com/vil/stinger/

      It just got my attention because it's "IRC" related ^^;

      1 Reply Last reply Reply Quote 0
      • Randy1031
        Randy1031
        Warlord Mod
        last edited by
        Randy1031
        spiral
        Randy1031
        Warlord Mod
        spiral

        What does that mean for people who have Norton Anti Virus? All this talk is about McAfee…

        K-F|Jango

        1 Reply Last reply Reply Quote 0
        • oceanizer
          oceanizer
          last edited by
          oceanizer
          spiral
          oceanizer
          spiral

          Cause I linked McAfee site…

          If you use Norton, then go to their site: http://www.symantec.com/index.htm
          and you'll see the latest virus definition.

          You should be able to use Stinger even if you don't have McAfee though.

          1 Reply Last reply Reply Quote 0
          • Carly
            Carly
            last edited by
            Carly
            spiral
            Carly
            spiral

            Ooh I hope I didn't get that. Actually I sort of doubt I did since I'm not on W2k here but eh ! I have an older brother who's pretty naive (autism) and he usually manages to gunk up my notebook with tons of spyware.

            I remember a couple years back about the blaster worm going around on XP and it was driving the whole internet crazy… though I just kind of pointed and laughed since I was still using w98 at the time :laugh: I think that since it's based primarily for W2k it's probably going to hit earlier versions of XP, not someone who just bought it last year (aka carly !).

            • Wow, I've got a lot of crap on here. Fifteen minutes and this thing is still going :laugh:

            . . . . . . . . . . . . . .Credo quia absurdum non credere. . . . . . . . . . . . . . . .

            1 Reply Last reply Reply Quote 0
            • oceanizer
              oceanizer
              last edited by
              oceanizer
              spiral
              oceanizer
              spiral

              Lol. Wasn't that just last year? Blaster virus? My company network was one of the first that infected back then -_- Afterwards, even if I reinstall the OS, the worm was still there.

              Wow, I've got a lot of crap on here. Fifteen minutes and this thing is still going
              Are you running Stinger? I should do that, too.

              Caracal 1 Reply Last reply Reply Quote 0
              • Windrays
                Windrays
                last edited by
                Windrays
                spiral
                Windrays
                spiral

                I, ah, have McAfee…. Anyone know how to block the port on it?

                Former mod. Deadpan cynic. Blunt advisor. Badass.

                If you need advice, either on here or otherwise, please feel free to PM me.

                Definitely not Windrays's Facebook.And definitely not his Last.fm, either.

                1 Reply Last reply Reply Quote 0
                • taboo
                  taboo
                  last edited by
                  taboo
                  spiral
                  taboo
                  spiral

                  What if you don't use IRC? Can you still get it? What if you've used IRC before but haven't in months?

                  /Computard

                  ![](images/smilies/ipb/heart.png "Heart")![](images/smilies/ipb/heart.png "Heart") ![](images/smilies/taboo/tabs.png "Ron Swanson")

                  1 Reply Last reply Reply Quote 0
                  • Carly
                    Carly
                    last edited by
                    Carly
                    spiral
                    Carly
                    spiral

                    I somehow doubt it if you don't use IRC but I dunno. shrug

                    . . . . . . . . . . . . . .Credo quia absurdum non credere. . . . . . . . . . . . . . . .

                    1 Reply Last reply Reply Quote 0
                    • Z
                      Zoro33
                      last edited by
                      Z
                      spiral
                      Zoro33
                      spiral

                      @oceanizer:

                      To check if you're infected or not, Stinger is a good tool to check:
                      http://vil.nai.com/vil/stinger/

                      Nice program, I just used it and found out my pc was infected with the W32/Sdbot.worm!ftp virus…
                      Kewl, thanks! :laugh:

                      1 Reply Last reply Reply Quote 0
                      • oceanizer
                        oceanizer
                        last edited by
                        oceanizer
                        spiral
                        oceanizer
                        spiral

                        My other friend told me he was infected to that one, too o.o!
                        I ran it for my entire drive (for more than 2 hours) but it didn't find any virus .__.

                        I somehow doubt it if you don't use IRC but I dunno. shrug

                        I think you'll still get it… Look at the companies that are infected... CCN, ABC News... I don't think anybody would use IRC at work... Or would they!?

                        1 Reply Last reply Reply Quote 0
                        • Carly
                          Carly
                          last edited by
                          Carly
                          spiral
                          Carly
                          spiral

                          Well - maybe not just IRC :laugh: Would it be carried over with FTP as well, then ? Both IRC and FTP transfer use basically the same protocols…

                          . . . . . . . . . . . . . .Credo quia absurdum non credere. . . . . . . . . . . . . . . .

                          A 1 Reply Last reply Reply Quote 0
                          • A
                            Ajiro @Carly
                            @Carly last edited by
                            A
                            spiral
                            Ajiro
                            spiral

                            HOLY CRAP!!! I think I may have it! I'm scanning my computer using McAfee and it detected a file called "RenamedmIRCClient". Is this it?

                            1 Reply Last reply Reply Quote 0
                            • Caracal
                              Caracal @oceanizer
                              @oceanizer last edited by
                              Caracal
                              spiral
                              Caracal
                              spiral

                              @oceanizer:

                              Lol. Wasn't that just last year? Blaster virus? My company network was one of the first that infected back then -_- Afterwards, even if I reinstall the OS, the worm was still there.

                              I noticed that to actually. When I got my comp in 2003 it had Blaster on it and when I lent my dad my copy of XP, he installing it on his computer and found he had Blaster.

                              A 1 Reply Last reply Reply Quote 0
                              • A
                                Akira @Caracal
                                @Caracal last edited by
                                A
                                spiral
                                Akira
                                spiral

                                @Caracal:

                                I noticed that to actually. When I got my comp in 2003 it had Blaster on it and when I lent my dad my copy of XP, he installing it on his computer and found he had Blaster.

                                Exact same thing happened to me, Yup Yup.

                                Signature removed because file size exeeded the limit.

                                Thanks to Jeece for the sig.

                                Forever AP's resident Blue Fuzzy Hat Wearer

                                wintergt 1 Reply Last reply Reply Quote 0
                                • wintergt
                                  wintergt @Akira
                                  @Akira last edited by
                                  wintergt
                                  spiral
                                  wintergt
                                  spiral

                                  A bit of a clarification might be in order. You don't need irc to get this worm. The irc part is probably in because this is one of those worms that turns your PC into a "zombie" and then makes it connect to an irc channel every day or so to see if there are "orders". (you won't see this ofcourse, much less do you need mirc installed for the worm to do this) Then when the worm creators think they have enough zombies, they'll issue an attack command on their mirc channel, and at a designated time all zombie PCs will ping-flood a major website. This is what a DoS (denial of service) attack is. They sometimes shut down major websites like google, yahoo or amazon in this manner (after trying to extort money from them first). If you have the worm, you'll be one of the attackers without ever knowing it.

                                  With this particular worm, there's actually three groups competing with each-other to get as many PCs infected as possible. They started writing these worms as soon as the "bug" (buffer-overflow flaw they use to get you infected) got made public. One of the worms will even delete the versions from the other groups if it finds them on your system!

                                  But they're kinda badly written, because the most prominent one makes your PC reboot, which is ofcourse stupid. The whole point of the worm is to sit there without you knowing it and wait for orders, and rebooting the infected PC totally blows its cover.

                                  interesting side-note:
                                  Also, this is not one of those virusses where you need to click on an executable attachment or something to get infected. As I said earlier, it uses a buffer-overflow flaw. Buffer overflows are by FAR the most prominent security flaw that can be abused to get control of a computer. It's quite technical, but the basic idea is simple, so in layman's terms: say you have to login and write your username, which has a "20 characters max". Anytime the program does not actively check whether you indeed wrote less than 20 characters, we have a buffer overflow weakness. Whatever you write after the 20 characters, will overwrite the actual program that is running! So the worms connects to your PC, overflows the said login and adds code that makes your PC download the worm from the internet. Bam, you got infected without doing anything.

                                  What started this was microsoft who announced: "in windows2000 there was a buffer overflow error in this insignificant little add-on code, so here's a patch". Ofcourse most companies don't patch that quickly, and microsoft basically told the virus-writers how to abuse their OS :P. (also, if you don't have win2k, don't worry about this virus)

                                  One Piece Recaps

                                  576 577 578 579+580 581 582-584: part 1 part 2

                                  585-587 Formerly known as JackVance

                                  1 Reply Last reply Reply Quote 0
                                  • Buuhan1
                                    Buuhan1
                                    last edited by
                                    Buuhan1
                                    spiral
                                    Buuhan1
                                    spiral

                                    Ah MacAfee warned me about this too and then the pricks said if i wanted to pretect myself from it i would have to blow 50 bucks on there new software versions >< but im happy to hear its only for Windows2k cause i got Windows XP

                                    1 Reply Last reply Reply Quote 0

                                    • 1 / 1
                                    • First post
                                      Last post
                                    Powered by NodeBB | Contributors