mIRC Home    About    Download    Register    News    Help

Forums Active Threads Search Who's Online Help
Print Thread
Virus Information
#135189 09/11/05 04:16 AM
Joined: Oct 2005
Posts: 1,741
G
genius_at_work Offline OP
Hoopy frood
OP Offline
genius_at_work
Hoopy frood
G
Joined: Oct 2005
Posts: 1,741
(If this should be in another area, can the mods please move it accordingly.)

Recently, a bunch of infected clients have been connecting to our network. They all join a particular channel called #miamiwaters. After they join, they send a string of apparently random characters. On closer inspection, the string is always the same, except that it has spaces thrown randomly into it. These strings (with the spaces removed) don't seem to translate to anything using mIRC's $decode function. Several examples:

Code:
ae9 954d 4 630f 47468d6bra r2233742025raqbclcrmn23bofbamoacqvblgv

ae9954d463 0f4746 8d 6 bra r2233742025raqbclcrmn23bofbamoacqvblgv

ae99 54d46 30f 47468d6 brar2233742025raqbclcrmn23bofbamoacqvblgv


If anyone knows anything about these bots/viruses could you please share it with everyone else? The name of the virus would be useful and if there is some way of removing/disabling/controlling the infection to prevent them from connecting to the server it would be much appreciated.

Thanks
-genius_at_work
Re: Virus Information
#135190 09/11/05 05:48 AM
Joined: Feb 2003
Posts: 372
R
Rounin Offline
Fjord artisan
Offline
Rounin
Fjord artisan
R
Joined: Feb 2003
Posts: 372
This does sound a tiny bit like a remote-controllable botnet infected by some kind of worm, usable for DDoSing. If that's the case, it could be interesting not only to block them from your network, but trace whoever might be controlling them.
Re: Virus Information
#135191 09/11/05 10:28 AM
Joined: Oct 2005
Posts: 1,741
G
genius_at_work Offline OP
Hoopy frood
OP Offline
genius_at_work
Hoopy frood
G
Joined: Oct 2005
Posts: 1,741
There isn't an overwhelming number of them at this point, and they don't seem to be coded to evade bans, so keeping them off the network should be easy enough. They seem to take the existing ident of the infected machine, then use the first 5 letters of that ident plus 4 random numbers as a nickname.

More than anything I want to figure out what sort of virus they are so that I can know what they are being used for, ie. DoS'ing, Flooding IRC users/channels, etc. If there is a way of forcing the virus to uninstall itself or crash itself by sending it a certain string of characters or commands, then we could set up our own bot to disinfect any bots that join the channel. If there turns out to be no way to remotely disinfect the bots, they will just end up being banned, and that will be the end of it.

Thanks,
-genius_at_work
Re: Virus Information
#135192 10/11/05 05:38 AM
Joined: Sep 2003
Posts: 4,230
D
DaveC Offline
Hoopy frood
Offline
DaveC
Hoopy frood
D
Joined: Sep 2003
Posts: 4,230
more than likely ae9954d4630f47468d6brar2233742025raqbclcrmn23bofbamoacqvblgv is a id & encryption codekey that can be used to encrypt commands to the bot, likely a public key to match one of the private keys the virus writer has. With out the private key(s) you well never be able to order the bots to do anything, even if u got hold of the pc with the infection you cant work out how to create the encrypted commands that that key would decrypt. Best of luck tho, but i think you well find your limited to just preventing them having access.

Link Copied to Clipboard
Forum Rules · Mark All Read Contact Us · Help · mIRC Homepage