('binary' encoding is not supported, stored as-is) In-Reply-To: <20021004233810.16182.qmailat_private> Ok, well i dont usually do this, post any info ive collected but I am tryin to find information back as well. I too had an experience with the PipeCmdSvr, and im still not sure exactly how it came on my machine. I am running win2k Pro. I downloaded this program called MYIE, an overlay for the IE web browser. During some of my searches I kept getting chinese web sites in my tabs. I was just playing around with some of the settings and when i clicked on the Resource button a prompt came up that said "some sites may not work well without the chinese language pack installed" "Do you want to install the chinese language pack" . Well I did. I know I know, are you crazy man? lol At any rate, it proceeded to install something. Then I got a message from win2k saying that some files would be over written , did i want to continue. Well obviously I responded no, but it would not let me click no, the only way to gain access again to my desktop was to click yes, which i did. When my machine rebooted, it was much much slower than it had been. Subsequent reboots had this litte mirc window coming up on reboot, and while I had used mirc in the past, I had not reloaded since I had done a new install of Win2k. Thats what got me interested , so I looked in Task Manager to see what was running, and thats when i ran across the Explored.exe program running. Now I am no programmer or a Windows guru , but in 8 years of using windows software Im no novice either. That threw up a flag so i investigated farther. In doing a search for Explored.exe online I came up with the http://golcor.tripod.com/gtbot.htm site, and I was able to determine what i had, a trojan no less. Now I wanted to know how and where I got it. Obviously it had came from downloading the chinese language pack, but was it a MyIE program or did i have a bootlegged program. Well to make this long story short, I looked for other MyIE download sites and found one that I deemed to be safe and installed it. I cant get this one to ask me for the chinese language pack download, so i can only assume that I had gotten a hacked program to start with. Also the MyIE executable on the bogus file was 750k and on the last one i installed it was only 450 k. I am assuming thats how I got it. I did have a mirror that I made a week ago so just to be safe I put that back on after renaming all the infected files and moving them into a folder on another drive. I still wanted to investigate further, so I started looking inside some of the mirc files that goes along with this trojan. From some of the information gathered I found a "report to " location. Dalnet. Channel #Iamowned. I went there and there were about 12 nicks in the room with the Owned(#####) nicks , im guessing bots. When I reinstalled my mirror, I put Zone Alarm back on as I have a static ip and was a tad worried that someone had my ip number. Over the next couple of hours I got repeated hits (more than 30) from a site 66.28.140.212, each time at differnt ports including telnet. In looking this up I found that this ip was registered to Cogent Communications. Not sure how Im going to proceed from here. This is the first time Ive been hacked in 9 years online. Im sure this trojan can be enabled in other ways, but just wanted to let you know that in this instance I think the MyIE was how it came to rest on my machine. Unless I have some big problems with it, I am going to continue to use this program as it is almost an identical user interface as opera but using the IE web browser shell. I did save all the files that was a part of the trojan program after renaming the extensions, and if anyone would like to have one or all of them I would be happy to send them on. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 20 2002 - 21:07:36 PDT