unkwown name.. porn url spamming trojan

These are old archives. They are kept for historic purposes only.
Post Reply
nexus
Posts: 14
Joined: Fri Mar 12, 2004 5:45 pm
Contact:
Contact nexus

unkwown name.. porn url spamming trojan

Post by nexus »

I don't know too much about this trojan, only that it is spreading like wildfire (the network I'm on has been getting around 20 new matches per day)

It's only spread through onjoin private messages as far as I know.

Code: Select all

<ThinkingAboutYou> Free porn pic and movies www.girlporn.org
<StreetSpirit> Free porn pic and movies www.girlporn.org
<Fontopid> Free porn pic and movies www.girlporn.org
<Aloone> Free porn pic and movies www.sexymovies.da.ru
<n\a> Free porn pic and movies www.girlporn.org
The trojan uses a dictionary file to get it's nick it looks like (I see alot of the same nicks from totally different locations).. The username is always 6 random lowercase letters (identd never works), and the gecos name is always 21 random lowercase letters..

The version reply of the trojan is always:

Code: Select all

mIRC v6.13 Khaled Mardam-Bey
Anyway, here's the filter I've been using, and it's worked great so far:

Code: Select all

spamfilter {
     regex "^Free porn pic and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)";
     target private;
     reason "Spamming a porn url to users. Scan your pc for viruses.";
     action gline;
};
I don't have a name for this trojan, but if anybody else has one (and a url for it), please let me know.
Top
Syzop
UnrealIRCd head coder
Posts: 2116
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:
Contact Syzop

Post by Syzop »

I guess I'll take a look later today (if I'm bored ;p).
The version reply of the trojan is always:

Code: Select all

mIRC v6.13 Khaled Mardam-Bey
That's interresting... there never was a mIRC 6.13 or at least not publicly (they jumped from 6.12 to 6.14). So another possible alternative is to use a ban version block which should only affect this worm/bot and not any real mIRC users.
Top
Syzop
UnrealIRCd head coder
Posts: 2116
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:
Contact Syzop

Post by Syzop »

http://www.girlporn.org
is a zombie, haven't found any content that causes is spread.. very strange...
bot settings:
Aserver=66.98.223.114:6669,66.98.223.114:6668,66.98.223.107:6668,66.98.223.107:7000
nick=$v2$randn(5)
ident=dark
name=$comp ($v2/$ver) [$dtime] $cpu $os
umode=+i-xG
chan=#bok
version=33
vreply=mIRC v6.14 Khaled Mardam-Bey
pass=dede
master=*@undernet.org
master2=*@*.undernet.org
url=http://www.deligomlegi.com/updt33.bin
perform=join #bok 1
key=boklu
invt=xc2VydmVyPWtvdHUuZGVsaWdvbWxlZ2kuY29tOjY2NjcNCm5pY2s9JHZhcjENCmlkZW50PSR2YXIyDQpuYW1lPSR2YXIzDQpjaGFuPSNrb3R1Y29jdWsgYmViZXENCnVtb2RlPStpLXgNCm1hc3Rlcj0qQCprb3R1Y29jdWsuY29tDQptYXN0ZXIyPSp2b3Qq

those are 4ip+ports for 2 servers.. both are unrealircd beta19 modified servers... and they are linked to each other. /map is blocked, /links seems to work, /lusers is blocked, no modules loaded (so source was editted).
zombies will show up like.:
invz81956 is dark@**********.**********.** * KLAAS (invz/33) [21-05-2004 23:56] 1,55GHz Windows
invz81956 using kotu.deligomlegi.com tyrants
invz81956 has been idle 2secs, signed on Sat May 22 09:04:08
invz81956 End of /WHOIS list.
The channel #bok itself is +smntuk 1 and no ops present (so can't see anyone)...
also /list was modified to not show the channel even if I'm in it (normally you can see the usercount).

The virus itself (or actually 1 of them, scan.exe, the zombie) is caught as Backdoor.Delf.lq by f-secure.


Now this is all very interresting, but this isn't the "primary trojan" you are talking about ;)... For some reason I was unable to find that one...
Perhaps they used this primary trojan to execute a secondary virus (the one I just described) which is the backdoor... Ah well.. who cares.. I'll just add the sig you used into cvs ;).
Last edited by Syzop on Fri May 21, 2004 11:15 pm, edited 1 time in total.
Top
Syzop
UnrealIRCd head coder
Posts: 2116
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:
Contact Syzop

Post by Syzop »

sig added in cvs.
Top
nexus
Posts: 14
Joined: Fri Mar 12, 2004 5:45 pm
Contact:
Contact nexus

slight twist for this one

Post by nexus »

hiya guys ;)

it seems this one has a slight (very slight) twist to it these days, so I wanted to let ya know

Code: Select all

<StreetSpirit> FREE porn pics and movies www.girlporn.org
<BlowOut> FREE porn pics and movies www.girlporn.org
<KatuMota> FREE porn pics and movies www.sexymovies.da.ru
Also, it seems like the old variant of this (the one I started this thread with), no longer is being spread, so perhaps this virus is self-updating?

anyway heres the new filter I've been using for it (you can change the action and reason fields if ya want):

Code: Select all

spamfilter {
     regex "^Free porn pic.? and movies (www\.sexymovies\.da\.ru|www\.girlporn\.org)$";
     target private;
     reason "Spamming a porn url to users. Scan your pc for viruses.";
     action kline;
};
I changed all actions for the filters I use, to kline rather than gline, because I think its a better solution for them. That way, if a user is playing around, and by accident he happens to type a string that triggers a spamfilter (slim chance usually, but it could happen), he can still come back on the network and get help about it. Also, I like not having a bunch of server-set bans cluttering up /stats G hehe.. But I guess its just a matter of personal preference ;)

and syzop, thanks for doing the research about this one ;)

I wish I had a sandbox I could use just to play around with these viruses.. maybe someday..
Top
Post Reply

Return to “Unreal 3.2 Spamfilters”