TROJAN: Mydoom.S Backdoor IRC Traffic
This signature detects IRC traffic being generated by a host infected with the Mydoom.S Trojan. This Trojan is installed as part of the Mydoom.S infection routine and acts as an SMTP and HTTP proxy as well as joining an IRC bot network. When this attack is detected, it is likely that the source IP is infected with Mydoom.S. Mydoom.S is also known as Ratos.A.
Extended Description
irssi is a freely available, open source irc client. irssi is available for the Linux and Unix operating systems. The server hosting irssi was compromised at some point. After being compromised, the source code to irssi was altered to include a backdoor. This backdoor allowed a user from the IP address 204.120.36.206 to remotely execute commands on the host that irssi was installed on. The source code is known to have been trojaned between the beginning of April, and end of May. Downloads of the source during this time likely contain the trojan code.
Affected Products
Irssi irssi
References
BugTraq: 4831
CVE: CVE-2002-1840
URL: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_RATOS.A
Short Name
TROJAN:MYDOOM:S-IRC-BACKDOOR
Severity
Major
Recommended
False
Recommended Action
Drop
Category
TROJAN
Keywords
Backdoor CVE-2002-1840 IRC Mydoom.S Traffic bid:4831
Release Date
08/26/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
TCP/6666
False Positive
Unknown
Vendors
Irssi
CVSS Score
10.0