Backdoor.IRC.Cirebot...installs a backdoor Trojan Horse.

Discussion in 'malware problems & news' started by AplusWebMaster, Aug 3, 2003.

Thread Status:
Not open for further replies.
  1. AplusWebMaster
    Offline

    AplusWebMaster Registered Member

    :( FYI...from Symantec:
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot.html
    "...Backdoor.IRC.Cirebot is a threat which exploits the Microsoft DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to install a backdoor Trojan Horse on vulnerable systems. Backdoor.IRC.Cirebot consists of a Backdoor component, and a Hacktool component which installs the backdoor on systems which are vulnerable to the exploit.
    Signs of infection: the existence of the files c:\rpc.exe, c:\rpctest.exe, or c:\lolx.exe.
    Signs that a network is being attacked: traffic on port 445 to sequential IP addresses.
    Signs that an attack has succeeded (allowing a remote shell and downloading of the backdoor): port 57005 open; an ftp connection on port 69..."

    - See also this thread: http://www.wilderssecurity.com/showthread.php?t=11991;start=msg77483#msg77483.
Thread Status:
Not open for further replies.