lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F75A0BD.4070206@cogeco.ca>
From: ph1 at cogeco.ca (David)
Subject: wms.exe on win2k?

S G Masood wrote:
> --- JTBurn <jtburn@....net> wrote:
> 
> 
>>I think it's a typicall form of an XDCC-BoT.
>>that means: they hacked your pc and installed
>>a script from which the persons from the channel
>>can get warez or moviez and so one from your
>>pc.
>>
>>
>>-- 
>> cu,
>> JTBurn
> 
> 
> Hello,
> 
> I think you are right. In the irc servers mentioned in
> the original post, there is a warez trading channel
> called "#isozone" and as the original poster

Actually it's #iso-zone and I think their control channel was #okie as 
someone mentioned before. #okie looks like it was closed down (only 2 
people left in it, looks like some were moved to #test0r) and #iso-zone 
looks like they are having a lack of warez sharing bots.

10:36 [ctcp([iZ]-iSo-ZonE0074)] VERSION
10:36 CTCP VERSION reply from [iZ]-iSo-ZonE0074: Xans XDCC Bot 0.51

Here is a quick scan of some infected machines (if these are the same bots).

10:32 ***          * [iZ]-iSo-ZonE0043 H   3 
~isozone@...633A0.8BD6C1A0.186AA253.IP "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0004 H   3 
~isozone@...te-2CA6A92.wma.east.verizon.net "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0001 H   3 
~isozone@...49622.62BF52C7.6CBC51B0.IP "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0011 H   3 
~isozone@...0764D.6466F028.76139EF4.IP "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0062 H   3 
~isozone@...te-1E90FB7B.dyn.optonline.net "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0086-OutOfOrder H   3 
~isozone@...te-36E2AF65.cs.vt.edu "IsoZone"
10:32 ***    #test0r [iZ]-LeechMe-v2 H   3 
~isozone@...te-3E773ADB.jsums.edu "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0056 H   3 
~isozone@...te-2B697911.net.msu.edu "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0007 H   0 
~isozone@...te-10D6E224.NYCMNY83.covad.net "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0003 H   3 
~isozone@...te-3FEB1964.ptr.us.xo.net "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0002 H   0
 
~isozone@...te-8BAC739.cable.ubr04.azte.blueyonder.co.uk "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0025 H   1 
~isozone@...F6D33.B6EBA014.2D8998D0.IP "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0064 H   3 
~isozone@...te-12FE006B.epfl.ch "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0010 H   3 
isozone@...te-2E140BBC.tampabay.rr.com "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE-0100 H   3 
isozone@...te-2E0B4C93.user.msu.edu "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0036 H   3 
~isozone@...E1A.3CE391B8.6328E82.IP "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0068 H   3 
~isozone@...60BD8.8BD6C1A0.186AA253.IP "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0008 H   3 
isozone@...te-3700B9B4.ed.shawcable.net "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0030 H   1 
isozone@...te-1D36B517.dsl2.sentex.ca "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0009 H   3 
~isozone@...te-3FA0FEDF.SFLDMIDN.covad.net "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0021 H   3 
~isozone@...te-3B51CBE4.towson01.md.comcast.net
                      "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0031EU H   3 
isozone@...te-3D4E6EEF.fa.g.bonet.se "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0032 H   3 
~isozone@...4164.8E1617C0.23C7EC13.IP "IsoZone"
10:32 ***  #iso-zone [iZ]-UtilServer H   0 
isozone@...te-32A20A09.ed.shawcable.net "IsoZone"
10:32 ***  #iso-zone [iZ]-iSo-ZonE0027 H   3 
isozone@...te-14A49E6D.wmb.emory.edu "IsoZone"
10:32 ***  #iso-zone [iZ]-iSo-ZonE0074 H   0 
~isozone@...te-3F426165.rollins.emory.edu "IsoZone"
10:32 *** End of /WHO list


> mentioned, "the user name is IsoZone and the credit
> line reads iSoZoNE WAS H3R3". So, your PC is being
> used to serve illegal warez to people. Even though it
> is not your fault, it can get you in trouble with the
> law.
> 
> --
> S.G.Masood
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ