actually, -i think-, that the operator made it invite only in order to make the trojan disfunctional... i believe same solution was used for #kaiten and #knight oliver p. > -----Original Message----- > From: OblivionOat_private [mailto:OblivionOat_private] > Sent: Friday, August 03, 2001 2:38 PM > To: vuln-devat_private > Subject: Re: Suspicious JOe.exe > > > I ran a hex editor on a copy of Joe.exe that was sent to me > and although i > found most of the same information as the strings command, i > was unable to > find the request of invite. Upon entering the iRC network > that joe.exe is > connecting to i tried to enter channel "#penr0x". It is > invite only, whcih > leads me to believe that when the zombie connects to irc it > sends a request > to a bot or botnetwork with a specific phrase, ordering the > botnet to invite > it to #penr0x.... My question is where would this phrase/nick > be located in > the file? i cant seem to find it although it seems to me that > it should be in > plain text... > > ~ Chris >
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 12:47:33 PDT