Content
DDoS-Stinkbot
- Type
- Trojan
- SubType
- Denial Of Svc
- Discovery Date
- 04/10/2003
- Length
- Varies
- Minimum DAT
- 4258 (04/16/2003)
- Updated DAT
- 4655 (12/21/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 04/10/2003
- Description Modified
- 04/16/2003 5:03 PM (PT)
Tab Navigation
Characteristics
This trojan is an IRC bot, controlled by a remote attacker to use infected systems to initiate a Distributed Denial of Service attack against others. When run, it copies its components to the SYSTEM directory with the following filenames:
The dropper file received by AVERT also included the following additional application, and two common Microsoft files:
It does not create a registry key or any entries in INI files to load itself at startup.
Once infected, the local system "reports in" to a specified IRC server so that an attacker can issue commands. An attacker can also instruct the bot to download and run other programs, remotely.
This trojan's components pose as valid Windows system files. These files have the following file properties:
(WINVIDEO.EXE)
Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows (R) 2000 Operating System
(SETUPINF.EXE)
Description: Internet Explorer
Copyright: Microsoft 1985-2003
Comments: Microsoft Internet Explorer
Company Name: Microsoft Corp
Product Name: Internet Explorer
Symptoms
Port 7948 and 7949 being left open
Unexpected traffic on port 6667
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This trojan is an IRC bot, controlled by a remote attacker to use infected systems to initiate a Distributed Denial of Service attack against others. When run, it copies its components to the SYSTEM directory with the following filenames:
The dropper file received by AVERT also included the following additional application, and two common Microsoft files:
It does not create a registry key or any entries in INI files to load itself at startup.
Once infected, the local system "reports in" to a specified IRC server so that an attacker can issue commands. An attacker can also instruct the bot to download and run other programs, remotely.
This trojan's components pose as valid Windows system files. These files have the following file properties:
(WINVIDEO.EXE)
Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows (R) 2000 Operating System
(SETUPINF.EXE)
Description: Internet Explorer
Copyright: Microsoft 1985-2003
Comments: Microsoft Internet Explorer
Company Name: Microsoft Corp
Product Name: Internet Explorer
Symptoms
Symptoms -
Port 7948 and 7949 being left open
Unexpected traffic on port 6667
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
