Security Incidents mailing list archives

Re: possible new irc worm

From: Chris Ess <azarin () tokimi net>
Date: Sat, 28 Jun 2003 19:18:55 -0400 (EDT)

"mindjail.zip" contains a HTML file, "mindjail.html", which drops and
executes "javax.sun.base.exe" (MD5: 286b884697dffd5a535295dcf5a4c6ea) on
vulnerable systems - see "Self-Executing HTML: Internet Explorer 5.5 and
6.0 Part II", <http://www.securityfocus.com/archive/1/313174>, for more
information about the vulnerability.

"javax.sun.base.exe" is an upx'ed SdBot variant. It tries to connect to
"hk.zxy0.com" [64.156.241.176].


Do you know why the messages appeared to stop at 1930 GMT or so yesterday
(27 June 2003)?  I am told that they just mysteriously stopped around this
time on every network they were hitting.  (I have been unable to confirm
this personally, but I haven't seen mindjail on either of the IRC networks
I frequent for over 24 hours now.

Sincerely,


Chris Ess
Systems Administrator / CDTT (Certified Duct Tape Technician)

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

possible new irc worm ZSisic (Jun 27)
- Re: possible new irc worm Becky (Jun 27)
- Re: possible new irc worm rewt (Jun 27)
  - Re: possible new irc worm Chris Ess (Jun 28)
    - Re: possible new irc worm Paolo Monti (Jun 28)
- Re: possible new irc worm Axel Pettinger (Jun 28)
  - Re: possible new irc worm Chris Ess (Jun 29)