Re: Suspicious JOe.exe

From: oktalat_private
Date: Fri Aug 03 2001 - 13:11:13 PDT

  • Next message: JKlemencat_private: "Code Red Infecting HP JetDirect - Not Exactly"

    From: <OblivionOat_private>
    > I ran a hex editor on a copy of Joe.exe that was sent to me and although i
    > found most of the same information as the strings command, i was unable to
    > find the request of invite. Upon entering the iRC network that joe.exe is
    > connecting to i tried to enter channel "#penr0x". It is invite only, whcih
    > leads me to believe that when the zombie connects to irc it sends a
    request
    > to a bot or botnetwork with a specific phrase, ordering the botnet to
    invite
    > it to #penr0x.... My question is where would this phrase/nick be located
    in
    > the file? i cant seem to find it although it seems to me that it should be
    in
    > plain text...
    
    The channel is invite-only for this reason:
    
    From: Haul [mailto:Haulat_private]
    Sent: Thursday, August 02, 2001 2:12 AM
    ...Fortunately, ICQ has known about this for some time and restricted access
    to #penr0x more than two weeks ago...
    



    This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 17:22:47 PDT