| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3996AE5EBEF964418D80953BDCABFF5609939828@ex1.asurite.ad.asu.edu> From: Stephen.Blass at asu.edu (Stephen Blass) Subject: wms.exe on win2k? Pardon me if this is old news and well known, but we are finding a WMS.exe on Win2k machines in both the WINNT and WINNT\system32 directories along with a WINNT\system32\nt directory full of installation and launching scripts plus IRC communication scripts. Mcaffee and Norton have yet to identify it during a scan, but the WMS.exe program we have found is a port scanner that first tries to connect to fuel.pyroshells.com, dnsix.com, and (this is silly) 192.168.0.1 and beyond that I've not had time to analyze the little bugger yet other than to read the scripts. it uses a svcinst.exe to process a rtl386.sys containing instructions to connect to irc.elite-irc.net 6667 crystal.elite-irc.net 7000 darwin.elite-irc.net 6667 killer.elite-irc.net 6667 the user name is IsoZone and the credit line reads iSoZoNE WAS H3R3 It installs files named 1MB.Test and 5MB.Test in %sysdir%\pk32 and sets up an admin password entry that looks like an MD5 hash. We appear to be toast. So my question is whether someone out there knows what this is?
Powered by blists - more mailing lists