Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Detecting Win32/IRC Flood worm

I'm getting hit with this worm and these boxes were compromised. The only way my 4230 (w/ latest sig update installed) alarms is when one of these boxes are used to scan (using Xscan and Dameware) the internet (actually *.edu domains to be specific) for more vulnerable hosts. Various trojan sigs are lit up at this point. Is there a specific signature to detect this worm when it is coming into my network? Thanks for any help.

Cheers,

Damien

2 REPLIES
Bronze

Re: Detecting Win32/IRC Flood worm

I looked into this, and the only information that I found was about a trojan program that installed a IRC client on the victim's system that could be used as a backdoor / DDoS client. I didn't see anything about worm-like activity though. Do you have any links to information? You might want to setup a connection signature for port 6667 to catch any IRC connection and filter it for external addresses as the source.

New Member

Re: Detecting Win32/IRC Flood worm

I'm sorry, you are correct that it is a trojan and NOT a worm. I have been catching compromised boxes when they alarm on the various 9000's sigs and also my custom 20000's sigs. These sigs includes most backdoor and trojan ports.

What I would like to know if anyone has developed a sig that does string(s) matching and what are those string(s)?

Here are some good description of these XDCC bots. Although, I have found many variants not described in these articles but they use the some of the same exe like kill.exe:

1) http://www.sophos.com/virusinfo/analyses/w32ircfloodf.html

2) http://www.symantec.com/avcenter/venc/data/backdoor.irc.flood.html

3) http://staff.washington.edu/dittrich/misc/ddos/unisog-xdcc.txt

Thanks for your response.

86
Views
0
Helpful
2
Replies
CreatePlease login to create content