Re: Suspicious JOe.exe

From: OblivionOat_private
Date: Fri Aug 03 2001 - 11:37:41 PDT

Next message: Tomasz Wendlandt: "Re: slackware permissions"

Previous message: Greg Wirth: "Re[2]: Suspicious joe.exe"
Next in thread: Tony Lambiris: "Re: Suspicious JOe.exe"
Reply: Tony Lambiris: "Re: Suspicious JOe.exe"
Reply: oktalat_private: "Re: Suspicious JOe.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I ran a hex editor on a copy of Joe.exe that was sent to me and although i 
found most of the same information as the strings command, i was unable to 
find the request of invite. Upon entering the iRC network that joe.exe is 
connecting to i tried to enter channel "#penr0x". It is invite only, whcih 
leads me to believe that when the zombie connects to irc it sends a request 
to a bot or botnetwork with a specific phrase, ordering the botnet to invite 
it to #penr0x.... My question is where would this phrase/nick be located in 
the file? i cant seem to find it although it seems to me that it should be in 
plain text...

 ~ Chris

Next message: Tomasz Wendlandt: "Re: slackware permissions"
Previous message: Greg Wirth: "Re[2]: Suspicious joe.exe"
Next in thread: Tony Lambiris: "Re: Suspicious JOe.exe"
Reply: Tony Lambiris: "Re: Suspicious JOe.exe"
Reply: oktalat_private: "Re: Suspicious JOe.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 12:08:53 PDT