Please Read, You are at RISK

Intercept · Jul 4, 2003

[Logon News - Jul 02 2003]

There is a new trojan floating around that asks you to open a url referencing mindjail.zip. This WILL infect you with the trojan. Please do NOT open any urls unless you know and trust the person it is coming from.

The Diplomat

There will be more posts from me, but the car accident in May is still effecting my normal life at the moment, sorry People, plus I am having a heart monitor fitted for 24hrs next Wednesday and thats giving me stress, so I am just taking it easy at the moment.

CU all soon OK

VIPER_1069 · Jul 4, 2003

Intercept said:
[Logon News - Jul 02 2003]

There is a new trojan floating around that asks you to open a url referencing mindjail.zip. :

more info

Mindjail worms way through IRC

A recent post on Bugtraq (27/06/03) introduced the world to a new worm currently slithering its way through IRC.

Mindjail is a new variant of Backdoor.SdBot code that once activated installs a backdoor into infected systems. IRC channels are scanned by bots seeking users, who are then spammed with the following messages:

1. "EEEEEEETHHHOOOM! MINDJAIL!! HE IS TRAPPED!! GET HIM OUT!"

2. "Ever heard of a thing called mindjail? Check it"

Both messages are followed by a link to a file called mindjail.zip. The zip file contains a HTML file, "mindjail.html" which executes JavaScript code on vulnerable systems. On execution, the backdoor code copies itself to the Sysdir folder and modifies the Registry to be executed on every system start up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\Run "hpsched"
Type: REG_SZ
Data: hpsched.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\RUNServices
"hpsched"
Type: REG_SZ
Data: hpsched.exe

As of today, most Anti Virus scanners fail to detect either the exploit code or the backdoor Trojan. A detection and removal tool has been produced by Paolo Monti (c/o NOD32 antivirus tools etc) and is currently available for download <a href="http://www.nod32.it/tools/MDJCLEAN.ZIP">HERE</a>

As ever, the best advice is to avoid clicking suspicious looking links in IRC (or anywhere else), check your Registry, and patch IE properly. ®

VIPER_1069 · Jul 4, 2003

yet more info ....

A new virus threat is causing a lot of nuisance over IRC networks. Mindjail is a modified Backdoor.Sdbot, a well known virus which is being found in private channels as part of DDoS nets since the 30th of April of last year.

"After the drone's (fizzer) problems we now got a new problem

Nicknames like this :-

< xrspjdsod >, < bvrwzgzli >, < nvsxpylvj >. They all join the server and put this:

<mpsmxkuxu> The thought police are coming, they will lock you into your brain muzzle and put you into mindjail h**p:/211.238.230.125:xxxx

<bvrwzgzli> EEEEEEETHHHOOOM! MINDJAIL!! HE IS TRAPPED!! GET HIM OUT! h**p:// 212.199.146.77:xxxx/

<xtuzltrcr> E-thom is trapped in mindjail, mindjail is a trap for your brain, see if you can get him out! h**p://10.206.35.101:xxxx/

as a private message. If you open the url the file MINDJAIL.zip will be downloaded to you'r computer" says D-SQUAD, a admin of the goldchat.nl IRC network on Usenet. "I get 20 messages in 60 minutes today

", he finishes his post.

The zip contains a html file with a hostile JavaScript that will install the backdoor and add registry values to make the backdoor start up each time Windows boots up.

Never click any links sent to you over IRC. Almost without exception they contain a trojan to infect your machine. Make sure you have a decent (Also Regularly updated) anti-virus program, and a firewall. Firewalls help preventing a virus to connect to the outside world if the anti-virus program failed and a backdoor still was able to install.

.............................................................................................

note: I have edited the PORT # i really dont want to be responsible for the curious out there checking these links to see what they do ....the answer is quite simple what they do They infect your system with the MINDJAIL TROJAN!!!

and we do not want that to happen do we ?!?

banzibaby · Jul 4, 2003

Cheers 4 the update folks

Should be ok, i never use IRC

BaNzI

Blane · Jul 4, 2003

Thanx guys for the nfo.

Irish Bear · Jul 21, 2003

Intercept said:
[Logon News - Jul 02 2003]

There is a new trojan floating around that asks you to open a url referencing mindjail.zip. This WILL infect you with the trojan. Please do NOT open any urls unless you know and trust the person it is coming from.

The Diplomat

There will be more posts from me, but the car accident in May is still effecting my normal life at the moment, sorry People, plus I am having a heart monitor fitted for 24hrs next Wednesday and thats giving me stress, so I am just taking it easy at the moment.

CU all soon OK

Don't feel stressed about the heart monitor my friend, have had them on me about 3 times a year since I had a metal valve implant in 96. you will not be aware of it. Realy no big deal. I go into Afib thats the reason I have them fitted.

Irish Bear.

Intercept · Jul 22, 2003

Irish Bear said:
Don't feel stressed about the heart monitor my friend, have had them on me about 3 times a year since I had a metal valve implant in 96. you will not be aware of it. Realy no big deal. I go into Afib thats the reason I have them fitted.

Irish Bear.

I have had heart probs for a while, it skips beats, speeds up to the point of almost blacking out and slows down as low as 46??

Greetz The Diplomat

daveml · Jul 22, 2003

I'd be more worried about opening ANY file which u are not 100% certain of its source.
You are just asking for trouble.
Dont do it!

Irish Bear · Jul 22, 2003

Know What you mean!

Intercept said:
I have had heart probs for a while, it skips beats, speeds up to the point of almost blacking out and slows down as low as 46??

Greetz The Diplomat

Konw what you mean Intercept, you could be telling my storey, That is exactly what happens to me when I go into Afib, could go as far 200bpm and then back realy slow. But in my case anyway, it is benign, I think as long as your are not in any serious pain, it is not too serious. I had a nephew who had the same problem, and they just put a probe into his hart through his vain and the point that was sending out the wrong signal, that would set him off, they put the probe to this point and passed a little currant through to it to burn it and he is perfect ever since. Compleatly painless and no surgary.. Mine is caused by the metal valve in the path of the hearts natural pacemaker, so that would not work. Same reasoning behind it though, but the above procedure will not work for me.

Wish you well my friend..............Irish Bear

snow_fairy · Jul 25, 2003

Whats irc?

banzibaby · Jul 25, 2003

Its kinda like an online chat program that allows U 2 download files

Bit like IM, but more advanced

BaNzI

dx · Jul 25, 2003

snow_fairy said:
Whats irc?

Internet Relay Chat. www.mirc.com

snow_fairy · Jul 25, 2003

Hiya

Thanks - I've never heared of that before - sounds a bit dodgy to me - I wont be in any rush to download it lol

banzibaby · Jul 25, 2003

Well i have never ever used it, & after readin that, i doubt i will ever use it

BaNzI

VIPER_1069 · Jul 25, 2003

IRC is fine to use if used with care and used properly

there are also many irc chat programs out there that are just for chat with no file transfer options

so lessens the risk of any headaches

anyhow when you get a file transfer unless you change the options you do actually have to ACCEPT the transfer to collect any files being sent

snow_fairy · Jul 25, 2003

VIPER_1069 said:
IRC is fine to use if used with care and used properly

there are also many irc chat programs out there that are just for chat with no file transfer options so lessens the risk of any headaches

anyhow when you get a file transfer unless you change the options you do actually have to ACCEPT the transfer to collect any files being sent

so its kind of like emails then? cos you can get files on that, but you dont have to accept them