Unknown virus

These are old archives. They are kept for historic purposes only.
Post Reply
codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Unknown virus

Post by codemastr »

Ok, so far I have no idea what virus this is, all I know is someone reported this on SearchIRC.com and it certainly seems to be a virus. The first report of this was earlier today. I have yet to do much research on this, so these filters may not catch all variants, but it's certainly a good start.

i am bz now plz see my erotic video at http://www.megaone.com/erotica/myvideo.exe

Code: Select all

spamfilter {
     target private;
     regex "^i am bz now plz see my erotic video at http://.+/erotic(a)?/myvideo\.exe$";
     reason "Infected with a virus";
     action block;
};
As more becomes known about exactly what this is, I'll update this.
-- codemastr
RejiMC

Post by RejiMC »

These spam bots join a few channels like #sex #sexo and few others we are getting them too..
Ours being a family network do have some problems with it..
can something like unregistered nicks wont join unregisteded channels be set?
that prevents bots joining channels and will help prevent flooding too

Regards
eQuiliBrium
Posts: 40
Joined: Sat Mar 06, 2004 9:42 am
Location: Netherland (Amsterdam)
Contact:

Post by eQuiliBrium »

RejiMC wrote:can something like unregistered nicks wont join unregisteded channels be set?
that prevents bots joining channels and will help prevent flooding too
Hello,

Yes is an option that unrealircd dos have you just have to look at the helpfiles or in IRC use the command "/helpop ?chmodes"
This command will give you thes lines

Code: Select all

 R = Only registered (+r) users may join the channel [o]
Having an mode +R in your channel means that users that dos not have a registerd nickname will not be enable to join this channel.

Also you sad smth about a family network.
If you dont want any channel to be used similer to "#sex" "#sex*".
Just put them in the forbid block in your unrealircd.conf.
Or even better put them in the redirection block, perhaps to your network-help channel.

Code: Select all

deny channel {
	channel "<channel-mask>";
	reason <reason-for-ban>;
	redirect "<channel-name>";
	warn [on|off];
}; 
Also if you enable the option "warn on" a server notice is given to the IRC-OP's saying that ... "this user tryed to join this forbiden channel"
Let me think about it
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

RejiMC: could you paste some of the test/urls they paste?
This are the text strings I found in one of the trojans:

i am bz now plz see my erotic video at http://www.powow.com/erotica/myvideo.exe
i am bz now plz see my erotic video at http://www.megaone.com/erotica/myvideo.exe
i am bz now plz see my erotic video at http://www.koolpages.com/erotic/myvideo.exe
i am bz now plz see my erotic video at http://www.cyberturf.com/erotica/myvideo.exe
wanna see my erotic video ? it is here http://www.powow.com/erotica/myvideo.exe
wanna see my erotic video ? it is here http://www.megaone.com/erotica/myvideo.exe
wanna see my erotic video ? it is here http://www.koolpages.com/erotic/myvideo.exe
wanna see my erotic video ? it is here http://www.cyberturf.com/erotica/myvideo.exe
see my erotic video at http://www.powow.com/erotica/myvideo.exe
see my erotic video at http://www.megaone.com/erotica/myvideo.exe
see my erotic video at http://www.koolpages.com/erotic/myvideo.exe
see my erotic video at http://www.cyberturf.com/erotica/myvideo.exe
brb. uploading my erotic video at http://www.powow.com/erotica/myvideo.exe
brb. uploading my erotic video at http://www.megaone.com/erotica/myvideo.exe
brb. uploading my erotic video at http://www.koolpages.com/erotic/myvideo.exe
brb. uploading my erotic video at http://www.cyberturf.com/erotica/myvideo.exe
wait a minute plz. i am updating my site http://www.powow.com/erotica/myvideo.exe
wait a minute plz. i am updating my site http://www.megaone.com/erotica/myvideo.exe
wait a minute plz. i am updating my site http://www.koolpages.com/erotic/myvideo.exe
wait a minute plz. i am updating my site http://www.cyberturf.com/erotica/myvideo.exe

However, when trying to run this trojan (in an isolated environment [sandbox] of course) it didn't run.. just an installer error and that's all.... I was able to find the .ini files etc however, that's how I got these strings...

The servers list they use has over 1000 entries and the nicklist is also insane big.

Anyway, I probably got some bad variant, because when I joined one of their mainchans (which they always join) I only saw 6 infected users. Perhaps you got some other nice one? ;)

This sig is in CVS now, but I still would like to know how this thing is called and if it's more widespread... I still got the feeling it is some kind of variant of something much more general/bigger..

Code: Select all

spamfilter {
        regex "(^wait a minute plz\. i am updating my site|.*my erotic video).*http://.+/erotic(a)?/myvideo\.exe$";
        target private;
        action block;
        reason "Infected by some trojan (erotica?)";
};
RejiMC
Posts: 6
Joined: Tue Mar 09, 2004 7:11 pm

Post by RejiMC »

Yes is an option that unrealircd dos have you just have to look at the helpfiles or in IRC use the command "/helpop ?chmodes"
This command will give you thes lines Code:
R = Only registered (+r) users may join the channel [o]
Having an mode +R in your channel means that users that dos not have a registerd nickname will not be enable to join this channel
I Think thats for Registerd Channels, how can we set chmodes for newly created Channels?

and again its not just #*sex*. They are are joining (creating) channels like #Lesbian and a few sorts of variants...... thats why we cant stop it like that.

My requirment is that no un registered user join (create ) new channels, they can join channels thats already registered.. a module in that aspect will be of good use. cause it can help stop flooding to a great extend.
and there wont be any problems for any newbies joining the network either

For the bot responses, i am making arragments to record them. Till now we were just killing the bot and clear the list as soo as they join in.

here is what i got till now
11:25] <kristien> hi
[11:25] <kristien> see my erotic video at http://www.koolpages.com/erotic/myvideo.exe

kristien is connecting from *@219.95.120.245
kristien on @#FunnyWorld @#SpeakEasy @#gays #cybercafe @#sex


[11:24] <maryann> do i know u ?
[11:24] <maryann> wanna see my erotic video ? it is here http://www.koolpages.com/erotic/myvideo.exe

maryann is connecting from *@202.162.198.2
maryann on @#CyberFriends @#CyberWorld @#cybercafe @#allnitecafe @#beginner o #allnitecafe @#cybersex #beginner @#sex

[12:12] <katheryn> hi darling
[12:12] <katheryn> wanna see my erotic video ? it is here http://www.koolpages.com/erotic/myvideo.exe

katheryn is ~[email protected] * susanetta felita
katheryn is connecting from *@210.187.116.42
katheryn on @#CyberWorld @#TeenWorld @#CyberParty @#beginners @#cybercafe @#sexo @#allnitecafe @#cybersex @#beginner @#sex
eQuiliBrium
Posts: 40
Joined: Sat Mar 06, 2004 9:42 am
Location: Netherland (Amsterdam)
Contact:

Post by eQuiliBrium »

Hello,

A more agresiv solution
set::modes-on-join <+modes>;
The modes that will be set on a channel when it is first created. Not all modes can be set using this command. +qaohvbeOAzlLk can NOT be set using this command.

set::restrict-usermodes <modes>
Restrict users to set/unset the modes listed here (don't use + or -).
For example you can set +G in modes-on-connect and G in restrict-usermodes, that way you can force all users to be +G and unable to do -G.

set::restrict-channelmodes <modes>
Restrict users to set/unset the channelmodes listed here (don't use + or -).
For example you can set +G in modes-on-join and G in restrict-channelmodes, that way you can force all (new) channels to be +G and unable to do -G.
NOTE: it may still be possible to use these channelmodes trough services by using MLOCK. Unfortunately we can't do much about that, you would have to ask the services coders to implement a restrict-channelmodes feature too.
set::modes-on-join <+modes>;
New created channel will have the mode's you can select, in your case +R this will be efected throught you server wide othere's user's that dos not have a registered nick will not be able to join.

set::restrict-channelmodes <modes>;
A channel mode +R will be forced on every channel and not beeing able to unset this mode.

Like i sad before a agresiv solution.
Forsing your users to register a nick then beeing able to join a channel (registerd or not dos not matter).

But i have seen viruses that have a registed nickname.
Registering there nick on connect ...
Let me think about it
RejiMC
Posts: 6
Joined: Tue Mar 09, 2004 7:11 pm

Post by RejiMC »

We have email confimation for registering nicks........
So thats is not the probelm, if we set a default +R on channels no un registered users can join any channel, our network is fairly new and we cant do that :)

there must be modules that check whether a channel is registered on not when someone tries to join.... So its not a big problem to add one more flag which can block unregesterd users creating new channels..
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop »

RejiMC: ah ok, the spamfilter I put in CVS catches that. Good.
RejiMC
Posts: 6
Joined: Tue Mar 09, 2004 7:11 pm

Post by RejiMC »

Thanks Syzop, I am using that filter and is working fine..
The only problem is that someone need to go in there and say hi to the bot for that filter to trigger

Somewhere I read about a module that will send a message to all unregistered users asking them to register, don’t remember whether its for Anope or for unreal anyway I am going to try that and say hi to the spam bot so it will respond and trigger ur filter.

As i said early ours is micro network and most ppl do /list and all these channels wont look nice..

Hope you got my point, that’s what i am trying to resolve.
Regards
Post Reply