ebay.da.ru virus

These are old archives. They are kept for historic purposes only.
Post Reply
nexus
Posts: 14
Joined: Fri Mar 12, 2004 5:45 pm
Contact:

ebay.da.ru virus

Post by nexus » Mon May 31, 2004 9:01 pm

This one has become quite an annoyance lately.. The virus appears to use mIRC DDE to send channel msgs to people at random times.

Code: Select all

<aV3ng3r> http://cgi.ebay.da.ru/ws/eBayISAPI.dll?ViewItem&item=313371337
<ren3> http://cgi.ebay.da.ru/ws/eBayISAPI.dll?ViewItem&item=508745896
<nelsonn> ahaha http://cgi.ebay.da.ru/ws/eBayISAPI.dll?ViewItem&item=3292527560
If anybody has more info about this virus, let me know plz ;)

Heres the filter I've been using:

Code: Select all

spamfilter {
     regex ".*http://cgi\.ebay\.da\.ru/ws/eBayISAPI\.dll\?ViewItem&item=.*";
     target channel;
     reason "Spamming an infected url to users.";
     action block;
};

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Tue Jun 01, 2004 2:13 am

If you visit the url (which you should obviously NOT do ;p) you get infected with a 'BotNut' trojan variant. F-Secure recognizes it as 'Backdoor.IRC.Botnut.b'. Trendmicro doesn't seem to recognize it at all (but it has some info on botnut.a online, in contrary to f-secure which has 0.0 info on botnut online).

Trojan connects to a couple of irc servers... gamesnet.com but that chan is banned, some other attempts too I guess, and also one that does work which is 213.114.171.71 port 6668 channel #botnut key botnut... running some ircserv called 'beware' using a (fake) irc serverhostname 'botnut.org' (tada! ;p).. and almost all commands are blocked (who, whois, names, userhost, mode, etc). Channel just had 3 users (of which 1 was me) when I joined btw.

Unfortunately I wasn't able to (quickly) find the spam thingy/strings itself, but I guess your filter will be just fine :).

Oh btw.. the virus uses the mshtml exploit... not very original :p.

codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr » Tue Jun 01, 2004 2:50 am

I'd say, use a bit more strict matching.

regex ".*http://cgi\.ebay\.da\.ru/ws/eBayISAPI\.dll\?ViewItem&item=[0-9]+$";

The idea is to try and prevent things like "Someone just msged me with http://......&item=12345, what do I do?" from getting you caught. So if you set it to require all numbers, and to end with the numbers, you get less false positives.
-- codemastr

JRandomMe

Actually

Post by JRandomMe » Mon Jul 05, 2004 3:12 am

Block everything from da.ru I had a chance to 'chat' with the guy running it before he g-lined me.

Basically, anything @ da.ru redirects to the exploit.

codemastr
Former UnrealIRCd head coder
Posts: 811
Joined: Sat Mar 06, 2004 8:47 pm
Location: United States
Contact:

Post by codemastr » Mon Jul 05, 2004 4:19 am

I have no idea where you got that info from, but it is completely false.
-- codemastr

Post Reply