[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: [Fwd: [TH-research] Bagle remote uninstall]

To: Gadi Evron <ge@egotistical.reprehensible.net>
Subject: [Full-Disclosure] Re: [Fwd: [TH-research] Bagle remote uninstall]
From: Dinesh Nair <dinesh@alphaque.com>
Date: Thu, 22 Jan 2004 04:10:25 +0800 (MYT)

would we then have to deal with someone running this en masse across all
windows boxen on the internet, under the notion that he's helping someone
out ? :)

--dinesh

On Wed, 21 Jan 2004, Gadi Evron wrote:

> Good morning.
> The following forwarded message is from Joe Stewart to TH-Research (The
> Trojan Horses Research Mailing List).
> In it Joe explains of a way for admins (or anybody really) to easily and
> massively remove Bagle infections from their networks.
> There are other ways to do this, but this is the most simple that I saw
> thus far.
>
> Thanks again to Joe for all his work.
> Drop him a thank-you note if this helps you, he's a good guy!
>
>       Gadi Evron
>
> The Trojan Horses Research Mailing List - http://ecompute.org/th-list
>
>
> From: Joe Stewart <jstewart@lurhq.com>
> To: TH-Research
> Subject: [TH-research] Bagle remote uninstall
> Date: Tue, 20 Jan 2004 17:19:41 -0500
>
> Mail from Joe Stewart <jstewart@lurhq.com>
>
> If you can't wait till January 28, Bagle has a remote uninstall command
> which can be sent over port 6777, the port also used to upload the
> second stage.
>
> For instance, using perl and netcat, you could send the uninstall
> command with the one-liner below:
> perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
> | nc infected_host_IP 6777
>
> When the command bytes above are received by an infected host, the virus
> will exit and delete its executable (using a batch script after the
> fact). The registry keys are not removed.
>
> -Joe
>
> --
>        Gadi Evron,
>        ge@linuxbox.org.
>
> The Trojan Horses Research mailing list - http://ecompute.org/th-list
>
> My resume (Hebrew) - http://www.math.org.il/resume.rtf
>
> PGP key for ge@linuxbox.org -
> http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
> Note: this key is used mainly for files and attachments, I sign email
> messages using:
> http://vapid.reprehensible.net/~ge/Gadi_Evron_sign.asc
>

Regards,                           /\_/\   "All dogs go to heaven."
dinesh@alphaque.com                (0 0)    http://www.alphaque.com/
+==========================----oOO--(_)--OOo----==========================+
| for a in past present future; do                                        |
|   for b in clients employers associates relatives neighbours pets; do   |
|   echo "The opinions here in no way reflect the opinions of my $a $b."  |
| done; done                                                              |
+=========================================================================+

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- [Full-Disclosure] Re: [Fwd: [TH-research] Bagle remote uninstall]
  - From: Gadi Evron <ge@egotistical.reprehensible.net>

References:
- [Full-Disclosure] [Fwd: [TH-research] Bagle remote uninstall]
  - From: Gadi Evron <ge@egotistical.reprehensible.net>

Prev by Date: [Full-Disclosure] [ GLSA 200401-02 ] Honeyd remote detection vulnerability via a probe packet
Next by Date: [Full-Disclosure] Re: [Fwd: [TH-research] Bagle remote uninstall]
Previous by thread: [Full-Disclosure] [Fwd: [TH-research] Bagle remote uninstall]
Next by thread: [Full-Disclosure] Re: [Fwd: [TH-research] Bagle remote uninstall]
Index(es):
- Date
- Thread