KIBUV.B or variant?

Discussion:

KIBUV.B or variant?

(too old to reply)

Michel Arboi

2005-05-24 21:19:09 UTC

I found a FTP server on port 42260 with this banner: 220 fuckFtpd 0wns j0
It looks slightly different from KIBUV.B (it says "StnyFtpd 0wns j0"
and is not on the right port)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FKIBUV%2EB&VSect=T

Is the description incomplete or this is a new malware?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

mike king

2005-05-25 03:42:24 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

the src code to these bots are traded around a great deal. most
likley either the irc owner changed the port /banner in which the
bot is to listen or they have coded it with a different port and
banner. this is not at all uncommon. so chances are its the same
program just tweaked.

On Tue, 24 May 2005 14:19:09 -0700 Michel Arboi

Post by Michel Arboi
I found a FTP server on port 42260 with this banner: 220 fuckFtpd
0wns j0
It looks slightly different from KIBUV.B (it says "StnyFtpd 0wns
j0"
and is not on the right port)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WOR
M%5FKIBUV%2EB&VSect=T
Is the description incomplete or this is a new malware?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkKT9BoACgkQUjm7xSZSd8FfJACgoEmpWRJFkWUqLHVuNzyGPBP0WjQA
oL/FHBIXfAr/zW8xhDyFIabLyepf
=KYJI
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Michel Arboi

2005-05-25 07:52:33 UTC

Permalink

this is not at all uncommon. so chances are its the same program just tweaked.

Thanks Mike. Another point: on some machines infected by the same
nasty beast, there is a second FTP server on a high port. The banners
look like ProFTPD (with miscellaneous version numbers) but the servers
are probably not ProFTPD: they allow commands before login, and answer
to a limited set of commands and freeze on common things like "cd .."
Anybody have seen this?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/