Anti-Spyware Forums


Reply
Thread Tools Display Modes

afteraffects of a worm

 
 
FromTheRafters
Guest
Posts: n/a

 
      08-07-2009, 09:11 PM
"PA Bear [MS MVP]" <(E-Mail Removed)> wrote in message
news:O4lQj6x$(E-Mail Removed)...
> ObiWan [MVP] wrote:
>>> Please state your full Windows version (e.g., WinXP SP3; Vista x64
>>> SP2)
>>> when posting to this newsgroup.

>>
>>> PS: Please avoid chatspeak here.

>>
>> heh... and in particular when one starts a post with a
>> "im very smart with computers." now, I think of myself
>> that I know something about computers not that "I'm
>> smart" since I think that when you start considering
>> stuff "usual" it's time to do a deep-check since there
>> is something which definitely isn't working <g>
>>
>> (Murphy is ALWAYS there )

>
> Anyone who's "been fighting that conficter [sic] worm since aug/sep of
> 2008" is not the brightest bulb in the box.


It even affected the cd player in the car! Now the car won't start until
the third time...


 
Reply With Quote
 
 
 
 
ObiWan [MVP]
Guest
Posts: n/a

 
      09-07-2009, 08:46 AM

> I'm sure the FBI will be knocking at your door
> very soon to investigate this.


uhm.... if so they'll probably send there the same
unit which took care of Dr. Hannibal Lecter <eg>


 
Reply With Quote
 
 
 
 
PA Bear [MS MVP]
Guest
Posts: n/a

 
      09-07-2009, 05:34 PM

ObiWan [MVP] wrote:
>> I'm sure the FBI will be knocking at your door
>> very soon to investigate this.

>
> uhm.... if so they'll probably send there the same
> unit which took care of Dr. Hannibal Lecter <eg>


Ooo, kinky!
 
Reply With Quote
 
antihacker101 antihacker101 is offline
Junior Member
Join Date: Aug 2010
Posts: 1

 
      22-08-2010, 12:50 PM
this is peace101,
the real worm originaly was a backdoor that was created by the HACKER of BILL PARKS that works at the department of transpertation(according to a news investigator). this whole apr fools/conficter/botnet are parts of a psycholgical defense from him to cover his tracks that was the TRAFFIC

he was using my maching to spread and use our machines to increase traffic to influence the outcome of a law called ROOTLAW.


the ips i get that started in feb 2009 and still running today which im going to paste is from the main and real worm and is untouched. its highest priority is to be undetetected. the worm uses loopback to intercept all ports. your browsers for example are infected through port 1900. each port is a command. updates from the hacker is spread after programmed through me using port 443 or 445 i remember.

nov17 was the day the hacker finished making its first major change that uploaded to you on port 443 or 445(one of them). thats when a patch was first blamed on the safemood reboot loop forcing a format.

the 2nd i rememb er was around feb where parts of the intercepts were removed, but a lot of you got blue screens from NULL or volsomething.


before i paste the log of the ip samples, i want to tell you how its really spreading.

the first part of the worm uses our phones and towers to inject radio packets that are used somehow to spread the worm.

the 2nd part was the emails with strange subjects that was assumed to be spam but were linked to a list i found in a temp folder with numbers assigned. this is what was used to give the backdoor/worm commands and kept it in sequence with new phases of spreading.

the 3rd part is where every type of textwindow such as this one is used to inject hidden memory string points that you can see using spy++.
this is the reason that some of your emails and messages had missing or twisted lettes.




here is a recent list of the ips im talking about from the real worm. note the dates are from not updating after the last reset. i cleared the log around 2 hours ago. this is fresh



Log Details

1891 Log Entries: Priority Time Message
[INFO] Sun Feb 08 05:34:30 2004 Allowed configuration authentication by IP address 192.168.0.197
[INFO] Sun Feb 08 05:27:56 2004 Blocked incoming TCP connection request from 221.192.199.46:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 05:27:25 2004 Blocked incoming TCP connection request from 221.192.199.48:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 05:25:29 2004 Blocked incoming UDP packet from 118.128.252.18:31999 to 98.134.157.238:4384
[WARN] Sun Feb 08 05:24:42 2004 A network computer (Compaq) was assigned the IP address of 192.168.0.199.
[INFO] Sun Feb 08 05:24:37 2004 Wireless system with MAC address 0024B20E514A associated
[INFO] Sun Feb 08 05:23:45 2004 Blocked incoming TCP connection request from 221.192.199.46:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 05:23:14 2004 Blocked incoming TCP connection request from 221.192.199.48:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 05:22:54 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2301
[INFO] Sun Feb 08 05:22:54 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2479
[INFO] Sun Feb 08 05:22:54 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9090
[INFO] Sun Feb 08 05:22:28 2004 Blocked incoming TCP connection request from 98.134.144.199:38144 to 98.134.157.238:135
[INFO] Sun Feb 08 05:19:09 2004 Blocked incoming TCP connection request from 221.192.199.48:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 05:18:28 2004 Blocked incoming TCP connection request from 98.134.144.199:53494 to 98.134.157.238:445
[INFO] Sun Feb 08 05:18:28 2004 Blocked incoming TCP connection request from 98.134.144.199:53495 to 98.134.157.238:135
[INFO] Sun Feb 08 05:14:47 2004 Blocked incoming TCP connection request from 221.192.199.48:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 05:12:57 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:73
[INFO] Sun Feb 08 05:12:56 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2301
[INFO] Sun Feb 08 05:12:56 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2479
[INFO] Sun Feb 08 05:12:55 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9090
[INFO] Sun Feb 08 05:12:55 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9415
[INFO] Sun Feb 08 05:11:51 2004 Blocked incoming TCP connection request from 124.13.198.241:24682 to 98.134.157.238:445
[INFO] Sun Feb 08 05:11:43 2004 Above message repeated 2 times
[INFO] Sun Feb 08 05:10:42 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:73
[INFO] Sun Feb 08 05:10:42 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2301
[INFO] Sun Feb 08 05:10:42 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2479
[INFO] Sun Feb 08 05:10:42 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9090
[INFO] Sun Feb 08 05:10:42 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9415
[INFO] Sun Feb 08 05:07:42 2004 Blocked incoming TCP connection request from 64.235.59.130:12200 to 98.134.157.238:27977
[INFO] Sun Feb 08 05:03:57 2004 Blocked outgoing TCP packet from 192.168.0.197:49471 to 75.126.242.47:80 with unexpected acknowledgement 3289141230 (expected 3289144134 to 3289145587)
[INFO] Sun Feb 08 05:03:57 2004 Above message repeated 2 times
[INFO] Sun Feb 08 05:02:47 2004 Blocked incoming TCP connection request from 221.192.199.46:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 05:02:04 2004 Blocked outgoing TCP packet from 192.168.0.197:49456 to 75.126.242.47:80 with unexpected acknowledgement 1520896028 (expected 1520896895 to 1520896896)
[INFO] Sun Feb 08 05:02:04 2004 Above message repeated 1 times
[INFO] Sun Feb 08 04:57:59 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
[INFO] Sun Feb 08 04:57:40 2004 Blocked incoming TCP connection request from 189.73.124.90:50832 to 98.134.157.238:4384
[INFO] Sun Feb 08 04:57:38 2004 Above message repeated 1 times
[INFO] Sun Feb 08 04:57:23 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
[INFO] Sun Feb 08 04:57:00 2004 Blocked incoming UDP packet from 58.223.246.2:5060 to 98.134.157.238:5060
[INFO] Sun Feb 08 04:56:57 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
[INFO] Sun Feb 08 04:56:00 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:73
[INFO] Sun Feb 08 04:56:00 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2301
[INFO] Sun Feb 08 04:55:56 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
[INFO] Sun Feb 08 04:55:22 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:1080
[INFO] Sun Feb 08 04:55:22 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:8090
[INFO] Sun Feb 08 04:55:22 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:9000
[INFO] Sun Feb 08 04:55:21 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:9090
[INFO] Sun Feb 08 04:55:21 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
[INFO] Sun Feb 08 04:55:20 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 04:54:59 2004 Blocked incoming UDP packet from 189.73.124.90:50516 to 98.134.157.238:4384
[INFO] Sun Feb 08 04:51:50 2004 Above message repeated 3 times
[INFO] Sun Feb 08 04:50:13 2004 Blocked incoming TCP connection request from 221.192.199.46:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 04:49:47 2004 Blocked incoming TCP connection request from 221.192.199.48:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 04:49:32 2004 Blocked incoming TCP connection request from 221.195.73.68:12200 to 98.134.157.238:8090
[INFO] Sun Feb 08 04:47:24 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:73
[INFO] Sun Feb 08 04:47:24 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2479
[INFO] Sun Feb 08 04:47:24 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:9415
[INFO] Sun Feb 08 04:45:57 2004 Blocked incoming TCP connection request from 221.192.199.46:12200 to 98.134.157.238:8085
[INFO] Sun Feb 08 04:45:10 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:73
[INFO] Sun Feb 08 04:45:10 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2301
[INFO] Sun Feb 08 04:45:09 2004 Blocked incoming TCP connection request from 202.102.234.71:12200 to 98.134.157.238:2479
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
WORM/DELF.FPV - new worm?? TheITDude Virus Information 4 18-01-2008 08:11 PM
Security Experts Warn of Kama Sutra Worm (yet another MS worm) Imhotep Security Software 8 31-01-2006 06:02 PM
Worm VB.AS Aliases W32.Alcra.B and W32/Alcan.worm!p2p =?Utf-8?B?cm9udzE5NTA=?= Virus Information 1 18-07-2005 01:29 PM
Is anyone looking for the worm who is sending the worm? Judy Security Software 3 20-09-2003 08:15 AM
RATE MY ANTI WORM IDEA (microsoft vs Worm) Jose Security Software 3 14-08-2003 02:20 PM


All times are GMT. The time now is 09:34 PM.