Speedup irc

These are old archives. They are kept for historic purposes only.
Post Reply
avone

Speedup irc

Post by avone » Sat Jul 10, 2004 7:14 pm

some users have reported this on my network, I haven't actually caught it myself but the messages are pretty much all the same email address on all the messages and the filename changing. The message makes it look like they are staff with your network and uses your network name, probably from $network within mirc. Now the email address will probably change soon but anyways. Here it is.

Hi dear, we our yournetworkname staff, and we send you this file to speed up your XDCCserv, to reception/send's files FASTER, so Unzipped the file then click on "setup.exe" and set your settings on, thanks, enjoy your time, [if the any bugs email: Srblche@hotmail.com, thank you]

I'm still new to regexp so I'm not exactly sure what to use for the spamfilter other than adding in the filenames and the email address, but I know they will change. Any help would be appreciated.

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Sat Jul 10, 2004 11:29 pm

Here goes: ;P

^Hi dear, we our .* staff, and we send you this file to speed up your XDCCserv, to reception/send's files FASTER, so Unzipped the file then click on ".+\.exe" and set your settings on, thanks, enjoy your time, \[if the any bugs email: .+@(.+\.)+\., thank you\] $

Basically not really much changed ;P except the replacement of the variable portions (net name, and as you mentioned the filename and email address), and escaping what would have been special characters... and of course the ^ and $ assertions :P .

avone

Post by avone » Sun Jul 11, 2004 9:06 pm

The people who are sending this virus/trojan all seem to be using the same nickname. The connect with a different ident, host, realname but none of the have a ctcp reply, their idents seem to rotate based on another bots nickname. They all send the same file so far which is XDCCTrigga.zip, I have that file blocked and to gline anyone matching it too.

fileguy(2:04:06:pm) ••• (s) [Spamfilter] shaved!~saxev@h000094b7b46a.ne.client2.attbi.com matches filter 'XDCCTrigga.zip': [NOTICE Hoola: 'DCC Send XDCCTrigga.zip (66.30.218.244)'] [XDCC trojan]

Here is a collection of nicknames they have been using since they started to attack my network.

beaver
couples
DMX-RAP
double
dripping
hardcore
Hiph0p
hookers
linuxer
mp3guy
mp3master
mp3sent
mp3xdcc
netscape
olduser
rooter
shaved
unixer
vibrator
winimp
XDCC
xdcccrap
xdccguy
xdcclame
xdccly
xdccsend
xdccsender
XDCCsync
XPmaster

If I get anymore info on this certain attack I'll post more.

MagicalTux

Post by MagicalTux » Thu Jul 15, 2004 10:01 am

The file names have changed...

I saw a lot of .zip files recently... dunno how to block that x_x

w00t
Posts: 1136
Joined: Thu Mar 25, 2004 3:31 am
Location: Nowra, Australia

Post by w00t » Thu Jul 15, 2004 11:09 pm

".+\.exe"
Probably becomes ".+\.zip" :) (just guessing, I dont know regexp)
-ChatSpike IRC Network [http://www.chatspike.net]
-Denora Stats [http://denora.nomadirc.net]
-Omerta [http://www.barafranca.com]

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Fri Jul 16, 2004 12:04 am

Exactly :) .

In fact, if you want to account for future possibilities you could also do .+\.(exe|zip|com|bat|cmd|dll|ocx|msi)

Post Reply