Port 6667 & 10.0.1.128/1.1.1.1/1.3.3.7

Hello,

I'm seeing a lot of traffic trying to leave my firewall destined for
port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
(sounds like l337/elite to me .

Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
etc.

Various Google searches and searches on the various A/V sites haven't
turned up a definite answer - just more questions about the same thing.

Can anyone clue me in to the exact trojan/worm/virus this may be and/or
if they're seeing the same kind of traffic.

Any insight is appreciated....

Thanks.

B

ex-Zephion

> Hello,
>
> I'm seeing a lot of traffic trying to leave my firewall destined for
> port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
> (sounds like l337/elite to me .
>
> Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
> etc.
>
> Various Google searches and searches on the various A/V sites haven't
> turned up a definite answer - just more questions about the same thing.
>
> Can anyone clue me in to the exact trojan/worm/virus this may be and/or
> if they're seeing the same kind of traffic.
>
> Any insight is appreciated....
>
> Thanks.
>
> B

It seem to be somekind of worm, that spread on the irc networks..

Greets
D

Damjan

On Thu, 18 Sep 2003 11:32:06 -0400, ex-Zephion
<dl1west-> wrote:

>Hello,
>
>I'm seeing a lot of traffic trying to leave my firewall destined for
>port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
>(sounds like l337/elite to me .
>
>Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
>etc.
>
>Various Google searches and searches on the various A/V sites haven't
>turned up a definite answer - just more questions about the same thing.
>
>Can anyone clue me in to the exact trojan/worm/virus this may be and/or
>if they're seeing the same kind of traffic.
>
>Any insight is appreciated....

Sounds a little like the Fizzer worm but most AV software ought to
pick up on it and exterminate

--
http://www.cotse.net - Use it, you know you want to.
If you're too scared to go look for yourself, ask me
about COTSE. I'd be happy to tell you about it.

[ Doc Jeff ]

"ex-Zephion" <dl1west-> wrote in message
news:...
> Hello,
>
> I'm seeing a lot of traffic trying to leave my firewall destined for
> port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
> (sounds like l337/elite to me .
>
> Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
> etc.
>
> Various Google searches and searches on the various A/V sites haven't
> turned up a definite answer - just more questions about the same thing.
>
> Can anyone clue me in to the exact trojan/worm/virus this may be and/or
> if they're seeing the same kind of traffic.
>
> Any insight is appreciated....
>
> Thanks.
>
> B
>

6667 is generally an IRC server, so maybe its an IRC spread worm ?
if you run irc, you could check to see if theres anything (scripts) funny in
your irc dir i guess


--
Mimic

"Without Knowledge you have fear, With fear you create your own nightmares."
"There are 10 types of people in this world. Those that understand Binary,
and those that dont."
"C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg"

Mimic

On Thu, 18 Sep 2003 11:32:06 -0400, ex-Zephion
<dl1west-> wrote:

>Hello,
>
>I'm seeing a lot of traffic trying to leave my firewall destined for
>port 6667 at the IPs 10.0.1.128, 10.10.10.10, 1.1.1.1 and 1.3.3.7
>(sounds like l337/elite to me .
>
>Yes - I know the 10.x.x.x traffic isn't going too far.... RFC1918, etc,
>etc.
>
>Various Google searches and searches on the various A/V sites haven't
>turned up a definite answer - just more questions about the same thing.
>
>Can anyone clue me in to the exact trojan/worm/virus this may be and/or
>if they're seeing the same kind of traffic.
>
>Any insight is appreciated....
>
>Thanks.
>
>B

Automated detection tools, rather than manual searches of discussion
groups, might be more useful.

If I were you, I'd give Spybot S&D, and HijackThis, a shot. Start
from this article (ignore the title):
http://forums.spywareinfo.com/index.php?showtopic=5187


Chuck

Spam sucks - PLEASE get rid of the spam before emailing me!
Trusted Computing? Right! http://www.againsttcpa.com/
WHAT IS THE CBDTPA? http://www.stoppoliceware.org/

Chuck