Very interesting. I figured this would be on a Warez bot since many Warez kiddies trust the bots and since the filenames looked a bit suspicious. I was curious as to how the the author of original post knew the users were on IRC. > (stable). My personnal estimation of infected computer it's 15000+. That's not good. Many of these infected people probably don't read BUGTRAQ, and will have no clue. Unfortunately, there's nothing we can do without the help of IRC operators and administrators. > With 500 "clones" they can easily split an irc server with the command > MOTD :irc.server.net (.do raw command). Dianora: Thanks for verifying this. Perhaps this information should be forwarded to IRC administrators of UnderNet and DALNet. It would be a lot easier to get rid of this thing when the operators know who is infected. > To see if you are infected do CTRL-ALT-DEL in windows and if you have a > process called OCE it's the Havoc's trojan :] remove it in your system > directory usualy c:\windows\system Is that in a regular task list or a low-level process viewer? Programs such as BO and NetBus do not show up in the task list, but a less complex program/less experienced programmer might forget about this or just not know how to hide it. If it is visible only in a low-level process viewer, Windows95 users will have to download one. Windows98 users can install one optionally, and WindowsNT users have one installed by default. The user will probably have to kill the process before removing the file, or else they will get the message "This file is in use by Windows". I don't have a URL for a Windows95 process viewer since I don't use Windows95. I'm sure several users would appreciate a post from anyone who might have one. It's too bad this has to happen, but what can we do... - Kameron Gasso krgat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:37 PDT