[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] AMDPatchB & InstallStub
- To: <ml@xxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] AMDPatchB & InstallStub
- From: "Russell Kaiser" <RKaiser@xxxxxxxxxx>
- Date: Wed, 17 Sep 2003 16:35:53 -0400
Might be a variant of W32/Gaobot. This worm connects to an IRC server
on TCP port 9900. Looking at the Auth/Ident response from the server it
looks like an IRC server.
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.html
http://vil.nai.com/vil/content/v_100611.htm
Russell Kaiser
Network Security Engineer
Computer Services
University of South Carolina
>>> "Michael Linke" <ml@xxxxxxxxxxx> 9/17/2003 3:05:33 PM >>>
At one of our Computers with Internet Access, I found a strange
program
running.
amdpatchB.exe(38 KB)
This program is trying to get Internet Access while starting.
amdpatchB.exe is connecting 63.246.134.50:9900.
There is a text based protocol running on 63.246.134.50 at a service on
port
9900.
See Telnet output:
________________________________________________________
telnet 63.246.134.50 9900
Trying 63.246.134.50...
Connected to 63.246.134.50.
Escape character is '^]'.
NOTICE AUTH :*** Looking up your hostname
NOTICE AUTH :*** Checking Ident
NOTICE AUTH :*** Found your hostname
help
:Drones2.newiso.org 451 * :Register first.
_________________________________________________________
I used Google to look for this filename but got no result.
Any ideas what this is?
Regards,
Michael
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html