RE: Suspicious JOe.exe

From: Petruzel, Oliver (OliverPat_private)
Date: Fri Aug 03 2001 - 12:18:11 PDT

  • Next message: Tony Lambiris: "Re: Suspicious JOe.exe"

    actually, -i think-, that the operator made it invite only in order to make
    the trojan disfunctional... i believe same solution was used for #kaiten and
    #knight
    
    oliver p.
    
    
    > -----Original Message-----
    > From: OblivionOat_private [mailto:OblivionOat_private]
    > Sent: Friday, August 03, 2001 2:38 PM
    > To: vuln-devat_private
    > Subject: Re: Suspicious JOe.exe
    > 
    > 
    > I ran a hex editor on a copy of Joe.exe that was sent to me 
    > and although i 
    > found most of the same information as the strings command, i 
    > was unable to 
    > find the request of invite. Upon entering the iRC network 
    > that joe.exe is 
    > connecting to i tried to enter channel "#penr0x". It is 
    > invite only, whcih 
    > leads me to believe that when the zombie connects to irc it 
    > sends a request 
    > to a bot or botnetwork with a specific phrase, ordering the 
    > botnet to invite 
    > it to #penr0x.... My question is where would this phrase/nick 
    > be located in 
    > the file? i cant seem to find it although it seems to me that 
    > it should be in 
    > plain text...
    > 
    >  ~ Chris
    > 
    



    This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 12:47:33 PDT