About two weeks ago while investigating a user on a server we administrate we came across someone's stash. Included in it was tucanx.exe and kaiten.exe which are the same as the joe.exe you posted except the ones we found joined #tucanx and #kaitex. Along with that we found another program that is used to scan subnets looking for IIS servers vulnerable to the .printer overflow. After exploiting it the trojan tucanx.exe is uploaded to the server and they connect to irc.icq.com and join a specified irc channel. After a few days we were able to catch up to the only ircop on irc.icq.com and he shutdown all the channels by making them invite only, it was the best we could think to do. The main purpose of these botnets seems to be to launch distributed Denial of Service attacks. In addition, they can be used to create chaos on IRC. We sent the trojan and the scanner to EEYE. Thanks, Josh & lockdown
This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 12:13:10 PDT