Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 1999-q4

Exploit-Dev Archives: Re: ICQ 2000

Re: ICQ 2000

Blue Boar (BlueBoarTHIEVCO.COM)
Mon, 25 Oct 1999 22:03:15 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Brad Griffin: "icq2000"
Previous message: Elias Levy: "ICQ 2000"
Next in thread: Sean Burford: "Re: ICQ 2000"
Reply: Sean Burford: "Re: ICQ 2000"

>
> there is a program called ICQ 2000 that claim to be a new
> pre vertion of ICQ.
> It's kind of suspective thing.
>
> Can any one from here check this program and tell if it's
> dangerous or not?
>
> The site is:
> http://download-icq2000.hypermart.net/

It's almost certainly a trojan.

I ran it, and it didn't appear to do anything.

(Of course, my sniffer, regmon, and filemon had another story to tell.)

While it sat there "hung" it was advertising itself... to ICQ users:

HTTP: ----- Hypertext Transfer Protocol -----
      HTTP:
      HTTP: Line 1: POST /scripts/WWPMsg.dll HTTP/1.0
      HTTP: Line 2: Host: wwp.icq.com
      HTTP: Line 3: Accept: www/source, text/html, video/mpeg,
image/jpeg, image
      HTTP: /x-tiff
      HTTP: Line 4: Accept: image/x-rgb, image/x-xbm, image/gif, */*,
applicatio
      HTTP: n/postscript
      HTTP: Line 5: Content-type: application/x-www-form-urlencoded
      HTTP: Line 6: Content-Length: 181
      HTTP: Line 7:
      HTTP:
HTTP: ----- Hypertext Transfer Protocol -----
      HTTP:
      HTTP: Line 1: from=ICQ&fromemail=ICQ&subject=ICQ2000&body=Try the
newest I
      HTTP: CQ v.2000 now!!! Available at:
http://
      HTTP: download-icq2000.hypermart.net/&to=42401866&Send=Send
Messag
      HTTP: e
      HTTP:

Basically, it looks like it's a trojan/worm that uses ICQ users (i.e.
people) as it's transport. A brief glance at the registry and file access
indicates no obvious attempt to "install" itself. It does a bit of poking
at the registry, IE files, ports, and modem settings, but I beliebe that is
because it looks like it's using the IE code to pull and post web pages per
above.

The ICQ user id's look random for the few I checked. There is no obvious
pattern. It just kept trying over and over again, until I killed it via
ctrl-alt-del (there was no window.)

I used NAI's SnifferPro, but any Windows sniffer should work. FileMon and
RegMon are both available via www.sysinternals.com .

As I said, it looks harmless, but don't blame me if you run it and it eats
your hard drive.

Next message: Brad Griffin: "icq2000"
Previous message: Elias Levy: "ICQ 2000"
Next in thread: Sean Burford: "Re: ICQ 2000"
Reply: Sean Burford: "Re: ICQ 2000"

This archive was generated by hypermail 2.0b3 on Tue Oct 26 1999 - 00:02:41 CDT