| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1916859874.20030927150137@gmx.net> From: jtburn at gmx.net (JTBurn) Subject: wms.exe on win2k? Hi Stephen, Thursday, September 25, 2003, 11:53:44 PM, you wrote: SB> Pardon me if this is old news and well known, but we are finding a WMS.exe on Win2k machines in both the WINNT and SB> WINNT\system32 directories along with a WINNT\system32\nt directory full of SB> installation and launching scripts plus IRC communication scripts. SB> Mcaffee and Norton have yet to identify it during a scan, but the WMS.exe program we have found is a port scanner SB> that first tries to connect to fuel.pyroshells.com, dnsix.com, and (this is SB> silly) 192.168.0.1 and beyond that I've not had time to analyze the little bugger yet other than to read the scripts. SB> it uses a svcinst.exe to process a rtl386.sys containing instructions to connect to SB> irc.elite-irc.net 6667 SB> crystal.elite-irc.net 7000 SB> darwin.elite-irc.net 6667 SB> killer.elite-irc.net 6667 SB> the user name is IsoZone and the credit line reads iSoZoNE WAS H3R3 SB> It installs files named 1MB.Test and 5MB.Test in %sysdir%\pk32 and sets up an admin password entry that looks like SB> an MD5 hash. We appear to be toast. SB> So my question is whether someone out there knows what this is? SB> _______________________________________________ SB> Full-Disclosure - We believe in it. SB> Charter: http://lists.netsys.com/full-disclosure-charter.html I think it's a typicall form of an XDCC-BoT. that means: they hacked your pc and installed a script from which the persons from the channel can get warez or moviez and so one from your pc. -- cu, JTBurn
Powered by blists - more mailing lists