Detecting Win32/IRC Flood worm

ddinh · ‎11-19-2002

I'm getting hit with this worm and these boxes were compromised. The only way my 4230 (w/ latest sig update installed) alarms is when one of these boxes are used to scan (using Xscan and Dameware) the internet (actually *.edu domains to be specific) for more vulnerable hosts. Various trojan sigs are lit up at this point. Is there a specific signature to detect this worm when it is coming into my network? Thanks for any help.

Cheers,

Damien

mcerha · ‎11-21-2002

I looked into this, and the only information that I found was about a trojan program that installed a IRC client on the victim's system that could be used as a backdoor / DDoS client. I didn't see anything about worm-like activity though. Do you have any links to information? You might want to setup a connection signature for port 6667 to catch any IRC connection and filter it for external addresses as the source.

ddinh · ‎11-21-2002

I'm sorry, you are correct that it is a trojan and NOT a worm. I have been catching compromised boxes when they alarm on the various 9000's sigs and also my custom 20000's sigs. These sigs includes most backdoor and trojan ports.

What I would like to know if anyone has developed a sig that does string(s) matching and what are those string(s)?

Here are some good description of these XDCC bots. Although, I have found many variants not described in these articles but they use the some of the same exe like kill.exe:

1) http://www.sophos.com/virusinfo/analyses/w32ircfloodf.html

2) http://www.symantec.com/avcenter/venc/data/backdoor.irc.flood.html

3) http://staff.washington.edu/dittrich/misc/ddos/unisog-xdcc.txt

Thanks for your response.