Suspicious joe.exe

From: Reb (rebat_private)
Date: Wed Aug 01 2001 - 22:21:48 PDT

Next message: Rikul: "Re: Suspicious joe.exe"

Previous message: Paul Rogers: "OBRS - Open Business Reporting Standard"
Next in thread: Rikul: "Re: Suspicious joe.exe"
Reply: Rikul: "Re: Suspicious joe.exe"
Reply: Felix Huber: "Re: Suspicious joe.exe"
Reply: Petruzel, Oliver: "RE: Suspicious joe.exe"
Reply: Josh Smith: "Re: Suspicious joe.exe"
Reply: Haul: "RE: Suspicious joe.exe"
Reply: sea urchin attacks: "Re: Suspicious joe.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings all,

While troubleshooting a problem with Win2k server doing a hard lock ( no
response to keyboard/mouse) I happened upon the Run key
(SOFTWARE\Microsoft\Windows\CurrentVersion\Run\) and noticed that joe.exe
was being started.  Being that this box was no more than 2 weeks old I found
this highly odd since it wasn't being loaded as a service and whatnot.  So
I'm done dealing with the 2k server hang for a bit and I start looking at
this file. After I've googled and bugtraq'd my way around I can't find
anything that mentions such a Trojan/virus. It seems to be some type of irc
client that connects to 205.188.253.230 and joins #penr0x, which is +I.  If
asked I can gzip/zip up the file and send it to someone.  If anyone has any
insight to this I'd love to hear from you. Here's a bit of information on
the exe.

[reb@ reb]$ ls -al joe.exe
-rw-r--r--   1 reb      reb         53248 Aug  1 17:58 joe.exe
[reb@ reb]$ md5sum joe.exe
488c80ba0b2186a1ba52c4e69c590bc6  joe.exe

Some of the more useful strings from `strings joe.exe` are:

Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
NICK
VERSION
KILL
HELP
PRIVMSG
PING
NOTICE %s :DNS <host>
NOTICE %s :Resolving %s...
NOTICE %s :Unable to resolve.
NOTICE %s :Resolved to %s.
NOTICE %s :GET <host> <save as>
NOTICE %s :Unable to create socket.
http://
NOTICE %s :Unable to resolve address.
NOTICE %s :Unable to connect to http.
GET /%s HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
Host: %s:80
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
NOTICE %s :Receiving file.
NOTICE %s :Saved as %s
NOTICE %s :Voyager Alpha Force: Age of Kaiten
NOTICE %s :NICK <nick>
NOTICE %s :Nick cannot be larger than 9 characters.
NICK %s
NOTICE %s :UDP <target> <secs>
NOTICE %s :GET <http address> <save as> = Downloads a file off the
web and saves it onto the hd
NOTICE %s :NICK <nick> = Changes the nick of the knight
NOTICE %s :DNS <host> = DNSs a host
NOTICE %s :IRC <command> = Sends this command to the server
NOTICE %s :KILL = Kills the knight
NOTICE %s :VERSION = Requests version of knight
NOTICE %s :HELP = Displays this
IRC
SYSTEM
HIDE
SHOW
MODE %s -xi
JOIN %s :
WHO %s
PONG %s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
TaskReg
#penr0x
205.188.253.230
NICK %s
USER %s localhost localhost :%s
ERROR


Reb

Next message: Rikul: "Re: Suspicious joe.exe"
Previous message: Paul Rogers: "OBRS - Open Business Reporting Standard"
Next in thread: Rikul: "Re: Suspicious joe.exe"
Reply: Rikul: "Re: Suspicious joe.exe"
Reply: Felix Huber: "Re: Suspicious joe.exe"
Reply: Petruzel, Oliver: "RE: Suspicious joe.exe"
Reply: Josh Smith: "Re: Suspicious joe.exe"
Reply: Haul: "RE: Suspicious joe.exe"
Reply: sea urchin attacks: "Re: Suspicious joe.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 22:45:16 PDT