RE: Suspicious joe.exe

From: Reb (rebat_private)
Date: Thu Aug 02 2001 - 10:57:26 PDT

  • Next message: Mark L'Italien: "RE: Suspicious joe.exe"

    Greetings all,
    
    For all of you that replied with a suggestion of:
    
    You really should get a virus scanner.
    
    I used to work for an anti-virus company and that's the *first* thing that I
    did.  I made sure that I had the latest dat files from NAI (4151) and
    scanned it on a different machine.  I then uploaded it to my linux box so
    that I could easily see what was inside of the file.  From all the posts
    that I have received both personally (thanks guys) and publicly this seems
    to be a ddos attack agent with an irc controller.  It doesn't seem that
    Symantec nor McAfee detects this version of the file, but Symantec should
    get back to me soon.
    
    A little more information on the box that was apparently compromised.  It
    was built on an internal network of about 6 machines on a 192.168 subnet,
    and none of the other machines on this network seems to have been
    compromised.  It had the most blatant security issues dealt with
    (IIS/shares/unused services) and was placed on a network with no firewall or
    any other type of protection in front of it.  This wasn't MY idea to put it
    out there all alone, but upper management didn't want it behind a firewall.
    A week after being placed directly connected to the internet the box starts
    locking up for no apparent reason.  Since I'm no longer walking distance
    from the box it takes me a few hours to get to it.  I start troubleshooting
    the problem and happen upon the Trojan.
    
    Reb
    
    -----Original Message-----
    From: Haul [mailto:Haulat_private]
    Sent: Thursday, August 02, 2001 2:12 AM
    To: VULN-DEV List
    Subject: RE: Suspicious joe.exe
    
    The joe.exe that you have is a trojan called the Knight..  It is used for
    DDoS attacks.  It connects to one of ICQ's IRC servers,
    and waits for commands by the "master" of the zombies.  The master can use
    your computer to UDP flood a target.  Fortunately, ICQ
    has known about this for some time and restricted access to #penr0x more
    than two weeks ago, so your computer hasn't participated in
    any attacks.  You really should get a virus scanner.
    
    > -----Original Message-----
    > From: Reb [mailto:rebat_private]
    > Sent: Thursday, August 02, 2001 1:22 AM
    > To: VULN-DEV List
    > Subject: Suspicious joe.exe
    >
    >
    > Greetings all,
    >
    > While troubleshooting a problem with Win2k server doing a hard lock ( no
    > response to keyboard/mouse) I happened upon the Run key
    > (SOFTWARE\Microsoft\Windows\CurrentVersion\Run\) and noticed that joe.exe
    > was being started.  Being that this box was no more than 2 weeks old I
    found
    > this highly odd since it wasn't being loaded as a service and whatnot.  So
    > I'm done dealing with the 2k server hang for a bit and I start looking at
    > this file. After I've googled and bugtraq'd my way around I can't find
    > anything that mentions such a Trojan/virus. It seems to be some type of
    irc
    > client that connects to 205.188.253.230 and joins #penr0x, which is +I.
    If
    > asked I can gzip/zip up the file and send it to someone.  If anyone has
    any
    > insight to this I'd love to hear from you. Here's a bit of information on
    > the exe.
    >
    > [reb@ reb]$ ls -al joe.exe
    > -rw-r--r--   1 reb      reb         53248 Aug  1 17:58 joe.exe
    > [reb@ reb]$ md5sum joe.exe
    > 488c80ba0b2186a1ba52c4e69c590bc6  joe.exe
    
    <cropped for brevity>
    



    This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 11:31:57 PDT