aim.exe virus
| Filename | aim.ext |
| MD5 Signature | 9d9e3a25db51ac5c1fe1599704878223 |
| Discovered in | Nov 2003 |
| Infect through | e-mail attachment or other vectors |
| symptom | The infected receive command from master or peers
via UDP port and then send spam mails accordingly at the rate about
6 mails per seconds |
From tcdpump file
<![CDATA[
11/11-12:20:50.667668 192.168.20.2:1026 -> 23.206.105.42:10100
UDP TTL:128 TOS:0x0 ID:1 IpLen:20 DgmLen:33
Len: 13
dbrj`
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/11-12:20:50.668660 192.168.20.2:1027 -> 154.82.115.7:10100
UDP TTL:128 TOS:0x0 ID:2 IpLen:20 DgmLen:33
Len: 13
dbrj`
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/11-12:20:50.669185 192.168.20.2:1028 -> 36.200.135.59:10100
UDP TTL:128 TOS:0x0 ID:3 IpLen:20 DgmLen:33
Len: 13
dbrj`
]]>
few udp traffic to 10100 port
Here the outbound syn packet in 25 port
<![CDATA[
12:56:35.623263 192.168.20.2.1059 > 209.202.220.223.25: S 810285577:810285577(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
12:56:36.779423 192.168.20.2.1066 > 216.68.1.57.25: S 813871274:813871274(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
12:56:36.779707 192.168.20.2.1067 > 205.188.158.57.25: S 813920917:813920917(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
12:56:36.779977 192.168.20.2.1068 > 167.206.5.3.25: S 813961664:813961664(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
12:56:36.780245 192.168.20.2.1069 > 204.90.130.217.25: S 813995841:813995841(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
12:56:36.780513 192.168.20.2.1070 > 216.218.236.166.25: S 814040472:814040472(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
12:56:36.968580 216.218.236.166.25 > 192.168.20.2.1070: S 2482701673:2482701673(0) ack 814040473 win 16384 <mss 1460>
12:56:37.031995 216.68.1.57.25 > 192.168.20.2.1066: S 3360566602:3360566602(0) ack 813871275 win 24820 <nop,nop,sackOK,mss
]]>
strings aim.exe gives this
<![CDATA[
..
PING
208.178.231.190
140.99.102.3
63.98.19.244
63.98.19.242
206.167.75.78
QUIT :contem@efnet
PRIVMSG #exceptions :%s
JOIN #exceptions :puddy
NICK %s
PONG %s
ERROR
NICK %s
USER %s localhost localhost :%s
Exception: %s at address 0x%08x in win32
Unknown exception
Ctrl+C Exit
Stack Overflow
Privileged Instruction
Integer Overflow
Integer Divide by Zero
Float Uderflow
Float Stack Check
Float Overflow
Float Invalid Operation
Float Inexact Result
Divide by Zero
Float Denormal Operand
Array Bounds Exceeded
Invalid Disposition
.
]]>