Re: Suspicious JOe.exe

From: oktalat_private
Date: Fri Aug 03 2001 - 13:11:13 PDT

Next message: JKlemencat_private: "Code Red Infecting HP JetDirect - Not Exactly"

Previous message: Joshua Myles: "Re: slackware permissions"
In reply to: OblivionOat_private: "Re: Suspicious JOe.exe"
Next in thread: Sould3mon: "Re: Suspicious JOe.exe"
Reply: Sould3mon: "Re: Suspicious JOe.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: <OblivionOat_private>
> I ran a hex editor on a copy of Joe.exe that was sent to me and although i
> found most of the same information as the strings command, i was unable to
> find the request of invite. Upon entering the iRC network that joe.exe is
> connecting to i tried to enter channel "#penr0x". It is invite only, whcih
> leads me to believe that when the zombie connects to irc it sends a
request
> to a bot or botnetwork with a specific phrase, ordering the botnet to
invite
> it to #penr0x.... My question is where would this phrase/nick be located
in
> the file? i cant seem to find it although it seems to me that it should be
in
> plain text...

The channel is invite-only for this reason:

From: Haul [mailto:Haulat_private]
Sent: Thursday, August 02, 2001 2:12 AM
...Fortunately, ICQ has known about this for some time and restricted access
to #penr0x more than two weeks ago...

Next message: JKlemencat_private: "Code Red Infecting HP JetDirect - Not Exactly"
Previous message: Joshua Myles: "Re: slackware permissions"
In reply to: OblivionOat_private: "Re: Suspicious JOe.exe"
Next in thread: Sould3mon: "Re: Suspicious JOe.exe"
Reply: Sould3mon: "Re: Suspicious JOe.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 17:22:47 PDT