Two quick questions: 1. What does this have to do w/ PipeCmdSrv? 2. If at one point you say, "Obviously it had came from downloading the chinese language pack, but was it a MyIE program or did i have a bootlegged program" (what's a "bootlegged" program, BTW??), then why do you follow it by saying, "just wanted to let you know that in this instance I think the MyIE was how it came to rest on my machine"? Which is it? --- sfustonat_private wrote: > In-Reply-To: > <20021004233810.16182.qmailat_private> > > Ok, well i dont usually do this, post any info ive > collected but I am > tryin to find information back as well. I too had an > experience with the > PipeCmdSvr, and im still not sure exactly how it > came on my machine. I am > running win2k Pro. > > I downloaded this program called MYIE, an overlay > for the IE web browser. > During some of my searches I kept getting chinese > web sites in my tabs. I > was just playing around with some of the settings > and when i clicked on > the Resource button a prompt came up that said "some > sites may not work > well without the chinese language pack installed" > "Do you want to install > the chinese language pack" . Well I did. I know I > know, are you crazy man? > lol At any rate, it proceeded to install something. > Then I got a message > from win2k saying that some files would be over > written , did i want to > continue. Well obviously I responded no, but it > would not let me click no, > the only way to gain access again to my desktop was > to click yes, which i > did. When my machine rebooted, it was much much > slower than it had been. > Subsequent reboots had this litte mirc window coming > up on reboot, and > while I had used mirc in the past, I had not > reloaded since I had done a > new install of Win2k. Thats what got me interested > , so I looked in Task > Manager to see what was running, and thats when i > ran across the > Explored.exe program running. Now I am no programmer > or a Windows guru , > but in 8 years of using windows software Im no > novice either. That threw > up a flag so i investigated farther. In doing a > search for Explored.exe > online I came up with the > http://golcor.tripod.com/gtbot.htm site, and I > was able to determine what i had, a trojan no less. > Now I wanted to know > how and where I got it. Obviously it had came from > downloading the chinese > language pack, but was it a MyIE program or did i > have a bootlegged > program. Well to make this long story short, I > looked for other MyIE > download sites and found one that I deemed to be > safe and installed it. I > cant get this one to ask me for the chinese language > pack download, so i > can only assume that I had gotten a hacked program > to start with. Also the > MyIE executable on the bogus file was 750k and on > the last one i installed > it was only 450 k. I am assuming thats how I got it. > I did have a mirror > that I made a week ago so just to be safe I put that > back on after > renaming all the infected files and moving them into > a folder on another > drive. > > I still wanted to investigate further, so I started > looking inside some of > the mirc files that goes along with this trojan. > From some of the > information gathered I found a "report to " > location. Dalnet. Channel > #Iamowned. I went there and there were about 12 > nicks in the room with the > Owned(#####) nicks , im guessing bots. > > When I reinstalled my mirror, I put Zone Alarm back > on as I have a static > ip and was a tad worried that someone had my ip > number. Over the next > couple of hours I got repeated hits (more than 30) > from a site > 66.28.140.212, each time at differnt ports including > telnet. In looking > this up I found that this ip was registered to > Cogent Communications. Not > sure how Im going to proceed from here. This is the > first time Ive been > hacked in 9 years online. > > Im sure this trojan can be enabled in other ways, > but just wanted to let > you know that in this instance I think the MyIE was > how it came to rest on > my machine. Unless I have some big problems with it, > I am going to > continue to use this program as it is almost an > identical user interface > as opera but using the IE web browser shell. > > I did save all the files that was a part of the > trojan program after > renaming the extensions, and if anyone would like to > have one or all of > them I would be happy to send them on. > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 15:48:16 PDT