Yes i noticed that, what i am wondering is if the msg sent is to indicate that the local user password is weak in some way ? does anyone know this ntscan util ? is it maybe a part of the RBOT design or something, I have run it thorough IDA 4.8 dissasembler and the function imported correspond to the ones I have seen, so I don't think there are any unpleasant surprises hidden withen the program, but still it would be nice to know if this somehow is compromising some credentials on the customers installed base ?
Jan -----Original Message----- From: John Smith [mailto:[EMAIL PROTECTED] Sent: 17. august 2005 17:41 To: Jan Nielsen Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Disney Down? I joined said IRC channel, and the topic is ".ntscan 100 120 -a -b" so it appears to be joining the channel and getting paramaters for this "ntscan program" --M Jan Nielsen wrote: > I was at a customer today with this problem, initially their network was > acting up and some ppl, couldn't logon to the servers in the morning. > We found the file "kilo.exe" on some machines that apparently had not > been patched, one thing I noticed while running this file on a vmware xp > sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128 > and logs in to it with password : 146751dhzx > Then it sets a few commands : > > JOIN #100+ > MODE #100+ +nts > > Which for an RBOT virus in itself is nothing special, but I noticed one > thing in my sniffer trace that got me a bit worried, this is a packet > sent from the infected pc to the irc server : > > 0000 00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00 ..S+....).g...E. > 0010 00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc [EMAIL PROTECTED] > 0020 d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18 .1... "..[....P. > 0030 3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31 ?1....PRIVMSG #1 > 0040 30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a 00+ :[.NTScan.]: > 0050 20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d Weakpassword... > 0060 0a . > > Anyone know what this could be ? > > Regards > Jan > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 17. august 2005 00:54 > To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk > Subject: RE: [Full-disclosure] Disney Down? > > MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe) > > Trend Micro: WORM_RBOT.CBQ - > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO > T.CBQ > Symantec: Win32.Zotob.E > McAfee: exploit-dcomrpc > Kaspersky: Net-Worm.Win32.Small.d > > This is what is on CNN right now. > > -----Original Message----- > From: [EMAIL PROTECTED] on behalf of David Wilde > Sent: Tue 8/16/2005 5:13 PM > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] Disney Down? > > A buddy of mine who's fiance works for Disney just told me that they > have sent everyone home for the day. When I say everyone I mean, > Disney Land, Disney World, Disney Corporate, etc... He's not sure > what the virus is called but it's apparently very nasty. Anyone have > any more info on this? > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/