Port 6667 & 10.0.1.128/1.3.3.7/1.1.1.1

Hello,

I'm seeing a lot of traffic trying to leave my firewall destined for
port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
(sounds like l337/elite to me :-).

Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
etc.

Various Google searches and searches on the various A/V sites haven't
turned up a definite answer - just more questions about the same thing.

Can anyone clue me in to the exact trojan/worm/virus this may be and/or
if they're seeing the same kind of traffic.

Any insight is appreciated....

Thanks.

B

|{evin
Thu Sep 18 20:21:08 CDT 2003

On Thu, 18 Sep 2003 17:30:22 -0400, ex-Zephion
<dl1west-nospam@yahoo.com> wrote:

>Hello,
>
>I'm seeing a lot of traffic trying to leave my firewall destined for
>port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
>(sounds like l337/elite to me :-).
>
>Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
>etc.
>
>Various Google searches and searches on the various A/V sites haven't
>turned up a definite answer - just more questions about the same thing.
>
>Can anyone clue me in to the exact trojan/worm/virus this may be and/or
>if they're seeing the same kind of traffic.
>
>Any insight is appreciated....
>
>Thanks.
>
>B
>

Definitely strange on the ip's... but port 6667 is usually Internet
Relay Chat.

Kent
Fri Sep 19 00:03:07 CDT 2003

Most trojans use something like IRC in order not to give away the
identity of the master controller. Most of the AV vendors have dozens of
IRCbots listed, so it's not possible to know from just the port which
trojan you have.

Removal instructions are typical for trojans. Use a tool like Autostart
Viewer to see *all* your startup locations and identify suspicious
program files. Use netstat -ano (XP) to get the associated PID. Use Task
Manager to kill it, regedit to remove the startup item, and Windows
Explorer to delete the file.

If taskmgr, regedit, and msconfig get killed by the trojan, the trick
that usually works is to copy the files to taskmgr1, regedit1, and
msconfig1 and run those programs instead.

If these simple steps don't work, you'll need a trojan removal tool.

Get yourself a good firewall that manages outbound application traffic
(ZoneAlarm or Kerio or ...). These are usually effective against trojan
traffic.

--
Kent W. England, Microsoft MVP for Windows



"ex-Zephion" <dl1west-nospam@yahoo.com> wrote in message
news:3F6A23ED.62B560A5@yahoo.com...
> Hello,
>
> I'm seeing a lot of traffic trying to leave my firewall destined for
> port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
> (sounds like l337/elite to me :-).
>
> Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918,
etc,
> etc.
>
> Various Google searches and searches on the various A/V sites haven't
> turned up a definite answer - just more questions about the same
thing.
>
> Can anyone clue me in to the exact trojan/worm/virus this may be
and/or
> if they're seeing the same kind of traffic.
>
> Any insight is appreciated....
>
> Thanks.
>
> B
>
>

S
Fri Sep 19 08:33:57 CDT 2003

I've recently seen a trojan that installs from a Web server using IE
vulnerability (a _link_ to the page is sent in a spam mail, which is however
nice-looking HTML and is in English), installs a keylogger and sends key
sequences using IRC.

Most likely shit like that.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Kent W. England [MVP]" <kwe@mvps.org> wrote in message
news:eGW5TInfDHA.132@tk2msftngp13.phx.gbl...
> Most trojans use something like IRC in order not to give away the
> identity of the master controller. Most of the AV vendors have dozens of
> IRCbots listed, so it's not possible to know from just the port which
> trojan you have.
>
> Removal instructions are typical for trojans. Use a tool like Autostart
> Viewer to see *all* your startup locations and identify suspicious
> program files. Use netstat -ano (XP) to get the associated PID. Use Task
> Manager to kill it, regedit to remove the startup item, and Windows
> Explorer to delete the file.
>
> If taskmgr, regedit, and msconfig get killed by the trojan, the trick
> that usually works is to copy the files to taskmgr1, regedit1, and
> msconfig1 and run those programs instead.
>
> If these simple steps don't work, you'll need a trojan removal tool.
>
> Get yourself a good firewall that manages outbound application traffic
> (ZoneAlarm or Kerio or ...). These are usually effective against trojan
> traffic.
>
> --
> Kent W. England, Microsoft MVP for Windows
>
>
>
> "ex-Zephion" <dl1west-nospam@yahoo.com> wrote in message
> news:3F6A23ED.62B560A5@yahoo.com...
> > Hello,
> >
> > I'm seeing a lot of traffic trying to leave my firewall destined for
> > port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
> > (sounds like l337/elite to me :-).
> >
> > Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918,
> etc,
> > etc.
> >
> > Various Google searches and searches on the various A/V sites haven't
> > turned up a definite answer - just more questions about the same
> thing.
> >
> > Can anyone clue me in to the exact trojan/worm/virus this may be
> and/or
> > if they're seeing the same kind of traffic.
> >
> > Any insight is appreciated....
> >
> > Thanks.
> >
> > B
> >
> >
>

Kent
Fri Sep 19 21:54:04 CDT 2003

Yuck. We have drive-by spyware and now drive-by trojans.

--
Kent W. England, Microsoft MVP for Windows



"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:uvViQLrfDHA.556@TK2MSFTNGP11.phx.gbl...
> I've recently seen a trojan that installs from a Web server using IE
> vulnerability (a _link_ to the page is sent in a spam mail, which is
however
> nice-looking HTML and is in English), installs a keylogger and sends
key
> sequences using IRC.
>
> Most likely shit like that.
>
> --
> Svyatoslav Pidgorny, MVP, MCSE
> -= F1 is the key =-
>
> "Kent W. England [MVP]" <kwe@mvps.org> wrote in message
> news:eGW5TInfDHA.132@tk2msftngp13.phx.gbl...
> > Most trojans use something like IRC in order not to give away the
> > identity of the master controller. Most of the AV vendors have
dozens of
> > IRCbots listed, so it's not possible to know from just the port
which
> > trojan you have.