-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Rob Thomas Sent: Monday, June 17, 2002 9:22 PM To: NANOG Subject: NANOG wins a bot
Hi, all.
This evening the NANOG mailing list received e-mail from a "jim bruer," aka jim_teh_man@yahoo.com. This e-mail, with a topic of "ConfigMaker Beta" (a Cisco product) included an attachment labelled as "cisco_configmaker.exe." This is actually a war bot known as Slackbot, version 1.0. This bot attempts to connect to the IRC server irc.easynews.com, 140.99.102.3. This IP address is part of the 140.99.96.0/19 prefix announced by ASN 2 (ACES Research - The Tucson Interconnect). The channel is #midgets_in_drag with no channel key.
.. Just for the record, we are in no way affiliated with this trojan :)
The server is not running, so this botnet (perhaps an old one) is not available for woe. The bot runs on Windows as wuordona.exe, and installs in c:\winnt\.
It will be available for woe once again tomorrow morning (down for maint.), so be afraid..
This is likely an attempt by some miscreants to build a botnet through the e-mail spam method. Since Slackbot does not include a spam mechanism, some other bit of malware must be involved.
Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Regards, Matt -- Matt Levine @Home: matt@deliver3.com @Work: matt@eldosales.com ICQ : 17080004 AIM : exile GPG : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6C0D04CF "The Trouble with doing anything right the first time is that nobody appreciates how difficult it was." -BIX Regards, Matt -- Matt Levine @Home: matt@deliver3.com @Work: matt@eldosales.com ICQ : 17080004 AIM : exile GPG : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6C0D04CF "The Trouble with doing anything right the first time is that nobody appreciates how difficult it was." -BIX
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Rob Thomas Sent: Monday, June 17, 2002 9:22 PM To: NANOG Subject: NANOG wins a bot
Hi, all.
This evening the NANOG mailing list received e-mail from a "jim bruer," aka jim_teh_man@yahoo.com. This e-mail, with a topic of "ConfigMaker Beta" (a Cisco product) included an attachment labelled as "cisco_configmaker.exe." This is actually a war bot known as Slackbot, version 1.0. This bot attempts to connect to the IRC server irc.easynews.com, 140.99.102.3. This IP address is part of the 140.99.96.0/19 prefix announced by ASN 2 (ACES Research - The Tucson Interconnect). The channel is #midgets_in_drag with no channel key. The server is not running, so this botnet (perhaps an old one) is not available for woe. The bot runs on Windows as wuordona.exe, and installs in c:\winnt\.
This is likely an attempt by some miscreants to build a botnet through the e-mail spam method. Since Slackbot does not include a spam mechanism, some other bit of malware must be involved.
Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);