Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 TROJAN:MYDOOM:S-IRC-BACKDOOR

Severity

 High

Recommended

 No

Recommended Action

 Drop

Category

 TROJAN

Keywords

 Mydoom.S Backdoor IRC Traffic

Release Date

 2004/08/25

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

TROJAN: Mydoom.S Backdoor IRC Traffic


This signature detects IRC traffic being generated by a host infected with the Mydoom.S Trojan. This Trojan is installed as part of the Mydoom.S infection routine and acts as an SMTP and HTTP proxy as well as joining an IRC bot network. When this attack is detected, it is likely that the source IP is infected with Mydoom.S. Mydoom.S is also known as Ratos.A.

Extended Description

irssi is a freely available, open source irc client. irssi is available for the Linux and Unix operating systems. The server hosting irssi was compromised at some point. After being compromised, the source code to irssi was altered to include a backdoor. This backdoor allowed a user from the IP address 204.120.36.206 to remotely execute commands on the host that irssi was installed on. The source code is known to have been trojaned between the beginning of April, and end of May. Downloads of the source during this time likely contain the trojan code.

Affected Products

  • irssi 0.8.4

References

  • BugTraq: 4831
  • CVE: CVE-2002-1840
  • URL: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_RATOS.A

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out