| |
M1CUK > INFO 13.12.02 03:51l 90 Lines 2441 Bytes #999 (0) @ WW
BID : 822795M1CUK
Read: DB0FHN GUEST
Subj: virus info / update
Path: DB0FHN<DB0ZWI<DB0CHZ<DB0ERF<DB0FBB<DB0GOS<DB0ACC<ON0RAT<ON5VL<LX0HST<
HA3PG<ON0BEL<GB7FCR
Sent: 021207/0150Z @:GB7FCR.#16.GBR.EU #:32523 [Blackpool] FBB-7.03a $:822795M1
From: M1CUK@GB7FCR.#16.GBR.EU
To : INFO@WW
Backdoor Trojan - TROJ_FLOOD.BI.DR
TROJ_FLOOD.BI.DR is a backdoor Trojan package that drops and installs a
multi-component backdoor in the System directory.
The dropped multi-component backdoor allows malicious users to remotely
take control of infected systems.
This backdoor package can force infected systems to behave as FTP servers,
allowing remote users to upload and download files to and from infected
machines.
It also contains IRC scripts that may be used to launch a Distributed
Denial of Service (DDoS) attack. With the scripts installed, malicious
users can manipulate infected systems into flooding certain targets within
IRC by continuously pinging these targets.
This Trojan arrives as an Installation/Setup program, and runs on Windows
9x, ME, 2000, and XP. Upon execution, it creates the folder, STDE9, in the
Windows system directory and then drops the following files in the created
folder:
SVCHOST32.EXE
BOOTDRV.DLL
EXPLORE.DAT
EXPLORER.EXE
EXPLORE.EXE
IISCACHE.DLL
WEB.SWF
LIBPARSE.EXE
NAVDB.DBX
PSEXEC.EXE
RCFG.INI
RCONNECT.EXE
RCONNECT.CONF
STR.VXD
SECURE.BAT
V32DRIVER.BAT
It then creates the folder, www, in STDE9. The following files, which are
dropped in the www folder, are IRC scripts that allow sharing of files via
mIRC:
www\MDX.DLL
www\MOO.DLL
www\VIEWS.MDX
www\WEBSERV.MRC
www\HTDOCS
www\htdocs\README.HTM
www\htdocs\SHIK.GIF
www\WWWLOGS
This Trojan dropper also creates a registry entry so that one of its
dropped files, EXPLORER.EXE, automatically executes at every Windows
startup.
-----------------------------------------------------------------------
10 Most Prevalent In-the-Wild Malware
(week of: November 25, 2002 to December 1, 2002)
1.. WORM_KLEZ.H
2.. WORM_BUGBEAR.A
3.. WORM_OPASERV.A
4.. WORM_OPASERV.E
5.. WORM_OPASERV.F
6.. WORM_OPASERV.G
7.. WORM_OPASERV.H
8.. JS_EXCEPTION.GEN
9.. PE_FUNLOVE.4099
10.. WORM_OPASERV.D
-----------------------------------------------------------------------
73's
Trev,
SysOp GB7FCR
E-Mail trev@gb7fcr.co.uk
Web Site http://www.gb7fcr.co.uk
AX25 - tcp/ip - Telnet - axip - RF & Internet Linked System's
Message timed: 00:51 on 07 Dec 02
Message sent using WinPack-Telnet V6.80
Read previous mail | Read next mail
| |