[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F75A0BD.4070206@cogeco.ca>
From: ph1 at cogeco.ca (David)
Subject: wms.exe on win2k?
S G Masood wrote:
> --- JTBurn <jtburn@....net> wrote:
>
>
>>I think it's a typicall form of an XDCC-BoT.
>>that means: they hacked your pc and installed
>>a script from which the persons from the channel
>>can get warez or moviez and so one from your
>>pc.
>>
>>
>>--
>> cu,
>> JTBurn
>
>
> Hello,
>
> I think you are right. In the irc servers mentioned in
> the original post, there is a warez trading channel
> called "#isozone" and as the original poster
Actually it's #iso-zone and I think their control channel was #okie as
someone mentioned before. #okie looks like it was closed down (only 2
people left in it, looks like some were moved to #test0r) and #iso-zone
looks like they are having a lack of warez sharing bots.
10:36 [ctcp([iZ]-iSo-ZonE0074)] VERSION
10:36 CTCP VERSION reply from [iZ]-iSo-ZonE0074: Xans XDCC Bot 0.51
Here is a quick scan of some infected machines (if these are the same bots).
10:32 *** * [iZ]-iSo-ZonE0043 H 3
~isozone@...633A0.8BD6C1A0.186AA253.IP "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0004 H 3
~isozone@...te-2CA6A92.wma.east.verizon.net "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0001 H 3
~isozone@...49622.62BF52C7.6CBC51B0.IP "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0011 H 3
~isozone@...0764D.6466F028.76139EF4.IP "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0062 H 3
~isozone@...te-1E90FB7B.dyn.optonline.net "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0086-OutOfOrder H 3
~isozone@...te-36E2AF65.cs.vt.edu "IsoZone"
10:32 *** #test0r [iZ]-LeechMe-v2 H 3
~isozone@...te-3E773ADB.jsums.edu "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0056 H 3
~isozone@...te-2B697911.net.msu.edu "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0007 H 0
~isozone@...te-10D6E224.NYCMNY83.covad.net "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0003 H 3
~isozone@...te-3FEB1964.ptr.us.xo.net "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0002 H 0
~isozone@...te-8BAC739.cable.ubr04.azte.blueyonder.co.uk "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0025 H 1
~isozone@...F6D33.B6EBA014.2D8998D0.IP "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0064 H 3
~isozone@...te-12FE006B.epfl.ch "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0010 H 3
isozone@...te-2E140BBC.tampabay.rr.com "IsoZone"
10:32 *** * [iZ]-iSo-ZonE-0100 H 3
isozone@...te-2E0B4C93.user.msu.edu "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0036 H 3
~isozone@...E1A.3CE391B8.6328E82.IP "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0068 H 3
~isozone@...60BD8.8BD6C1A0.186AA253.IP "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0008 H 3
isozone@...te-3700B9B4.ed.shawcable.net "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0030 H 1
isozone@...te-1D36B517.dsl2.sentex.ca "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0009 H 3
~isozone@...te-3FA0FEDF.SFLDMIDN.covad.net "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0021 H 3
~isozone@...te-3B51CBE4.towson01.md.comcast.net
"IsoZone"
10:32 *** * [iZ]-iSo-ZonE0031EU H 3
isozone@...te-3D4E6EEF.fa.g.bonet.se "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0032 H 3
~isozone@...4164.8E1617C0.23C7EC13.IP "IsoZone"
10:32 *** #iso-zone [iZ]-UtilServer H 0
isozone@...te-32A20A09.ed.shawcable.net "IsoZone"
10:32 *** #iso-zone [iZ]-iSo-ZonE0027 H 3
isozone@...te-14A49E6D.wmb.emory.edu "IsoZone"
10:32 *** #iso-zone [iZ]-iSo-ZonE0074 H 0
~isozone@...te-3F426165.rollins.emory.edu "IsoZone"
10:32 *** End of /WHO list
> mentioned, "the user name is IsoZone and the credit
> line reads iSoZoNE WAS H3R3". So, your PC is being
> used to serve illegal warez to people. Even though it
> is not your fault, it can get you in trouble with the
> law.
>
> --
> S.G.Masood
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists