Re: [MLUG] port 17300 and kuang2 trojan

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: MLUG Members <EMAIL:PROTECTED>
Subject: Re: [MLUG] port 17300 and kuang2 trojan
From: Mark Haidekker <EMAIL:PROTECTED>
Date: Tue, 13 May 2003 15:08:21 -0500
In-reply-to: <EMAIL:PROTECTED>
List-archive: <http://mlug.missouri.edu/pipermail/members>
List-help: <mailto:EMAIL:PROTECTED>
List-id: MLUG Members <members.mlug.missouri.edu>
List-post: <mailto:EMAIL:PROTECTED>
List-subscribe: <http://mlug.missouri.edu/mailman/listinfo/members>,<mailto:EMAIL:PROTECTED>
List-unsubscribe: <http://mlug.missouri.edu/mailman/listinfo/members>,<mailto:EMAIL:PROTECTED>
References: <EMAIL:PROTECTED>
Reply-to: EMAIL:PROTECTED, MLUG Members <EMAIL:PROTECTED>
Sender: EMAIL:PROTECTED

On Tuesday 13 May 2003 01:45 pm, you wrote:
> In the last 2 days I've seen a massive increase in port 17300 connection
> attempts on my Solaris box coming from all over the world.  I guess this
> is the kuang2 trojan.  I suppose it doesn't attack Solaris and it is
> looking for Windows shares or somesuch.  Is that it?  Am I safe?  Is
> kuang2 making the news this week?
>
> Mike

What about Fizzer? Below is some info from 
http://www.eweek.com/article2/0,3959,1079560,00.asp. Fun aheead, mostly for 
Windoze users, though.

Mark

"This is one of the more complicated worms we've seen", comments Mikko
  Hypponen, manager of anti-virus research at F-Secure Corp., based in 
Helsinki,
  Finland. "The worm is 200kB of code spaghetti, containing backdoors, code
  droppers, attack agents, key loggers and even a small Web server."

  The new worm has several other capabilities that make it 
particularly troubling
  and dangerous. Fizzer includes an IRC bot that attempts to connect to a 
number
  of different IRC servers and, once it establishes a connection, 
listens passively for further instructions. This kind of activity is 
often the precursor to a distributed DoS (denial-of-service) attack. 
The worm also has the ability to create a new user account on AIM 
(AOL Instant Messenger), join a chat session and then listen for 
instructions.

  But perhaps the most interesting aspect of Fizzer is the HTTP server 
it contains. The server runs on a configured TCP port and in effect 
acts as a command console,

The HTTP server also gives the attacker the ability to remotely launch DoS
attacks, further propagate the work via e-mail, issue commands to the IRC and
  AIM bots, and kill anti-virus applications.

  The keystroke logger records every typed letter and saves the log in 
an  encrypted file on the infected machine. If the infected PC has 
the Kazaa file-sharing program installed, Fizzer also has the ability 
to find the default download location for Kazaa files and copy itself 
to that folder. It will have a  random filename and could easily be 
mistaken for a media file and downloaded  by another Kazaa user.

  At its heart, Fizzer is a mass-mailing worm that arrives in users' 
mailboxes in an  e-mail with a random subject line and body text. The 
attachment containing the  worm is an executable file, but has a 
random name and may also have a random file extension that disguises 
the fact that it is an executable.
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

References:
- [MLUG] port 17300 and kuang2 trojan
  - From: Mike Miller <EMAIL:PROTECTED>

Prev by Date: [MLUG] port 17300 and kuang2 trojan
Next by Date: RE: [MLUG] port 17300 and kuang2 trojan
Previous by thread: [MLUG] port 17300 and kuang2 trojan
Next by thread: RE: [MLUG] port 17300 and kuang2 trojan
Index(es):
- Date
- Thread