UnrealIRCd Forums

Welcome to the UnrealIRCd Forums!
https://forums.unrealircd.org/

Speedup irc

https://forums.unrealircd.org/viewtopic.php?t=568

Page 1 of 1

Speedup irc

Posted: Sat Jul 10, 2004 7:14 pm
by avone
some users have reported this on my network, I haven't actually caught it myself but the messages are pretty much all the same email address on all the messages and the filename changing. The message makes it look like they are staff with your network and uses your network name, probably from $network within mirc. Now the email address will probably change soon but anyways. Here it is.

Hi dear, we our yournetworkname staff, and we send you this file to speed up your XDCCserv, to reception/send's files FASTER, so Unzipped the file then click on "setup.exe" and set your settings on, thanks, enjoy your time, [if the any bugs email: [email protected], thank you]

I'm still new to regexp so I'm not exactly sure what to use for the spamfilter other than adding in the filenames and the email address, but I know they will change. Any help would be appreciated.

Posted: Sat Jul 10, 2004 11:29 pm
by aquanight
Here goes: ;P

^Hi dear, we our .* staff, and we send you this file to speed up your XDCCserv, to reception/send's files FASTER, so Unzipped the file then click on ".+\.exe" and set your settings on, thanks, enjoy your time, \[if the any bugs email: .+@(.+\.)+\., thank you\] $

Basically not really much changed ;P except the replacement of the variable portions (net name, and as you mentioned the filename and email address), and escaping what would have been special characters... and of course the ^ and $ assertions :P .

Posted: Sun Jul 11, 2004 9:06 pm
by avone
The people who are sending this virus/trojan all seem to be using the same nickname. The connect with a different ident, host, realname but none of the have a ctcp reply, their idents seem to rotate based on another bots nickname. They all send the same file so far which is XDCCTrigga.zip, I have that file blocked and to gline anyone matching it too.

fileguy(2:04:06:pm) ••• (s) [Spamfilter] shaved!~[email protected] matches filter 'XDCCTrigga.zip': [NOTICE Hoola: 'DCC Send XDCCTrigga.zip (66.30.218.244)'] [XDCC trojan]

Here is a collection of nicknames they have been using since they started to attack my network.

beaver
couples
DMX-RAP
double
dripping
hardcore
Hiph0p
hookers
linuxer
mp3guy
mp3master
mp3sent
mp3xdcc
netscape
olduser
rooter
shaved
unixer
vibrator
winimp
XDCC
xdcccrap
xdccguy
xdcclame
xdccly
xdccsend
xdccsender
XDCCsync
XPmaster

If I get anymore info on this certain attack I'll post more.

Posted: Thu Jul 15, 2004 10:01 am
by MagicalTux
The file names have changed...

I saw a lot of .zip files recently... dunno how to block that x_x

Posted: Thu Jul 15, 2004 11:09 pm
by w00t
".+\.exe"
Probably becomes ".+\.zip" :) (just guessing, I dont know regexp)

Posted: Fri Jul 16, 2004 12:04 am
by aquanight
Exactly :) .

In fact, if you want to account for future possibilities you could also do .+\.(exe|zip|com|bat|cmd|dll|ocx|msi)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited