Regarding the report of a new PHP worm that we mentioned yesterday.
It is based heavily on the PhpInclude code on site. It
appears to be a variant of the ASW worm and is being used to drop
an IRC bot that is connecting to a server in Brazil. Google has
been notified. The worm doesn't appear to be identified by many AV
vendors yet however the bot is: (from VirusTotal)
Two ports moving as one
Antivirus Version Update Result -
AntiVir 188.8.131.52 02.24.2005 no virus found
AVG 718 02.22.2005 PERL/ShellBot
BitDefender 7.0 02.24.2005 Backdoor.Perl.Shellbot.B
ClamAV devel-20050130 02.24.2005 Trojan.Perl.Shellbot.C
DrWeb 4.32b 02.24.2005 no virus found
eTrust-Iris 184.108.40.206 02.24.2005 no virus found
eTrust-Vet 220.127.116.11 02.24.2005 Perl.Shellbot.A
Fortinet 2.51 02.25.2005 no virus found
F-Prot 3.16a 02.24.2005 Unix/ShellBot.C
Ikarus 2.32 02.24.2005 Backdoor.Perl.Shellbot.A
Kaspersky 18.104.22.168 02.25.2005 Backdoor.Perl.Shellbot.a
NOD32v2 1.1007 02.23.2005 Perl.Shellbot.A
Norman 5.70.10 02.22.2005 no virus found
Panda 8.02.00 02.24.2005 no virus found
Sybari 7.5.1314 02.25.2005 Perl.Shellbot.A
Symantec 8.0 02.24.2005 IRC.Backdoor.Trojan
What ever happened to....
An alert reader noticed that the number of targets for both
41523/TCP and 6504/TCP have been spiking pretty much in unison
over the last two weeks or so. Initial searches don't turn up much
on the uses for the ports. Some suggestions that 41523/TCP might
be Arcserve or InnoculateIT and that 6504/TCP might be NetOp. Any
information would be welcome.
I've gotten some questions about what Meeneemee.exe turned out to
be. The simple answer is that we never found a conclusive answer.
However, we have gotten a number of interesting observations:
Eric Tiesinga kindly gave us a possible translation of the word
Mee --> With, like in "i take something with me"
Neem --> Take, like in "i take something with me"
The words "meeneem" could be a 1st verb of the full word
"meenemen" which could be translated as "take with (me)" like
(i go on a journey).
[Note: STOP! Before you send that email... yes, we *DO* know that it
could be an homage to Dr. Evil's vertically-challenged side-kick.
We knew that before we posted this. We actually *DO* manage to climb
out from under our rocks and see a movie every now and again...
Do you think we've been frozen for the last 30 years, baby? ;-) -TL]
Trend Micro A/V Vulnerable to ARJ Heap Overflow
Just got word that Trend Micro has joined the ranks of A/V
vendors who have issued advisories and patches to fix an ARJ file
format parser vuln. From ... it is possible to
create a specially-crafted ARJ archive file that overwrites data
after the allocated 512-byte buffer. This specially-crafted
file could possibly execute an arbitrary code.
The original ISS X-Force advisory is referenced there, too.