Re: Suspicious joe.exe

From: Rikul (rikulat_private)
Date: Thu Aug 02 2001 - 00:04:01 PDT

  • Next message: Felix Huber: "Re: Suspicious joe.exe"

    Its an irc bot that is used to do distributed DoS attacks. The
    IRC channel acts command center for all the bots. You could sniff the
    traffic and figure out how to pretend to be irc bot to get into the
    channel. After that you can get IP/userinfo of person controlling
    all the bots. It probably came in email that you opened in outlook.
    
    - Rikul
    
    
    On Thursday 02 August 2001 12:21 am, you wrote:
    > Greetings all,
    >
    > While troubleshooting a problem with Win2k server doing a hard lock ( no
    > response to keyboard/mouse) I happened upon the Run key
    > (SOFTWARE\Microsoft\Windows\CurrentVersion\Run\) and noticed that joe.exe
    > was being started.  Being that this box was no more than 2 weeks old I
    > found this highly odd since it wasn't being loaded as a service and
    > whatnot.  So I'm done dealing with the 2k server hang for a bit and I start
    > looking at this file. After I've googled and bugtraq'd my way around I
    > can't find anything that mentions such a Trojan/virus. It seems to be some
    > type of irc client that connects to 205.188.253.230 and joins #penr0x,
    > which is +I.  If asked I can gzip/zip up the file and send it to someone. 
    > If anyone has any insight to this I'd love to hear from you. Here's a bit
    > of information on the exe.
    >
    > [reb@ reb]$ ls -al joe.exe
    > -rw-r--r--   1 reb      reb         53248 Aug  1 17:58 joe.exe
    > [reb@ reb]$ md5sum joe.exe
    > 488c80ba0b2186a1ba52c4e69c590bc6  joe.exe
    >
    > Some of the more useful strings from `strings joe.exe` are:
    >
    > Microsoft Visual C++ Runtime Library
    > Runtime Error!
    > Program:
    > <program name unknown>
    > SunMonTueWedThuFriSat
    > JanFebMarAprMayJunJulAugSepOctNovDec
    > GetLastActivePopup
    > GetActiveWindow
    > MessageBoxA
    > NICK
    > VERSION
    > KILL
    > HELP
    > PRIVMSG
    > PING
    > NOTICE %s :DNS <host>
    > NOTICE %s :Resolving %s...
    > NOTICE %s :Unable to resolve.
    > NOTICE %s :Resolved to %s.
    > NOTICE %s :GET <host> <save as>
    > NOTICE %s :Unable to create socket.
    > http://
    > NOTICE %s :Unable to resolve address.
    > NOTICE %s :Unable to connect to http.
    > GET /%s HTTP/1.0
    > Connection: Keep-Alive
    > User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)
    > Host: %s:80
    > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    > Accept-Encoding: gzip
    > Accept-Language: en
    > Accept-Charset: iso-8859-1,*,utf-8
    > NOTICE %s :Receiving file.
    > NOTICE %s :Saved as %s
    > NOTICE %s :Voyager Alpha Force: Age of Kaiten
    > NOTICE %s :NICK <nick>
    > NOTICE %s :Nick cannot be larger than 9 characters.
    > NICK %s
    > NOTICE %s :UDP <target> <secs>
    > NOTICE %s :GET <http address> <save as> = Downloads a file off the
    > web and saves it onto the hd
    > NOTICE %s :NICK <nick> = Changes the nick of the knight
    > NOTICE %s :DNS <host> = DNSs a host
    > NOTICE %s :IRC <command> = Sends this command to the server
    > NOTICE %s :KILL = Kills the knight
    > NOTICE %s :VERSION = Requests version of knight
    > NOTICE %s :HELP = Displays this
    > IRC
    > SYSTEM
    > HIDE
    > SHOW
    > MODE %s -xi
    > JOIN %s :
    > WHO %s
    > PONG %s
    > SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    > TaskReg
    > #penr0x
    > 205.188.253.230
    > NICK %s
    > USER %s localhost localhost :%s
    > ERROR
    >
    >
    > Reb
    



    This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 10:02:01 PDT