This might be an unreleased Back Orifice plugin from an internet user who dislikes GeoCities (only speculation). Odds are, it was distributed widely over IRC in a Warez package or something similar. > The complete content of the 5845 directory was: nfo.zip, nfo.jpg, > servers.zip, servers.jpg, users.zip and users.jpg. When I looked at > the > binary files by doing a cat, the users jpg & zip files were the > same, but the > other files were all unique. >From the names of those files, I'd guess that's a warez pup's account. Then again, who knows. > We did find an entry in his registry with the following setting: > > /microsoft/windowsexplorer/doc/find/spec/mru > a) " " > b) 5845 > c) nfo > d) bo > e) nfo.zip > f) winrar > g) msvbvm60.dll > h) loadwc > i) stargate > j) area51 > mrulist) eadcbjihgf What's the full name of that registry key? The file msvbvm60.dll looks like a Visual BASIC runtime library, possibly a Back Orifice plugin of some sort. > I also asked our ISP to help track some of this and this was their > result. "All the IP's > I've scanned so far from the log have several UDP ports open in the > 31337 range > (what Back Orifice uses)." This is also why I think it may be a BO plugin. Unfortunately, these users have no idea they're helping attack a server, and probably wouldn't suspect a thing. > > So, we really need to find the source instead of asking everyone to > reinstall their OS. It might also be necessary to inform the various > > virus-detection software vendors to try to eradicate this from all of > > the machines that currently have it installed. If it's Back Orifice, some virus scanners will already pick it up. This still doesn't solve the problem of the plugin, which can be stored in any file type, text, dll, or binary. If you do find what it is, please let me know, as I myself am curious. Thank you. Sincerely, Kameron Gasso Direct legitimate replies to krgat_private - Flames, spams, etc. will be handled by the little green monster named /dev/null I keep locked away in my dungeon.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:36 PDT