Full Disclosure mailing list archives
Re: wms.exe on win2k?
From: JTBurn <jtburn () gmx net>
Date: Sat, 27 Sep 2003 15:01:37 +0200
Hi Stephen, Thursday, September 25, 2003, 11:53:44 PM, you wrote: SB> Pardon me if this is old news and well known, but we are finding a WMS.exe on Win2k machines in both the WINNT and SB> WINNT\system32 directories along with a WINNT\system32\nt directory full of SB> installation and launching scripts plus IRC communication scripts. SB> Mcaffee and Norton have yet to identify it during a scan, but the WMS.exe program we have found is a port scanner SB> that first tries to connect to fuel.pyroshells.com, dnsix.com, and (this is SB> silly) 192.168.0.1 and beyond that I've not had time to analyze the little bugger yet other than to read the scripts. SB> it uses a svcinst.exe to process a rtl386.sys containing instructions to connect to SB> irc.elite-irc.net 6667 SB> crystal.elite-irc.net 7000 SB> darwin.elite-irc.net 6667 SB> killer.elite-irc.net 6667 SB> the user name is IsoZone and the credit line reads iSoZoNE WAS H3R3 SB> It installs files named 1MB.Test and 5MB.Test in %sysdir%\pk32 and sets up an admin password entry that looks like SB> an MD5 hash. We appear to be toast. SB> So my question is whether someone out there knows what this is? SB> _______________________________________________ SB> Full-Disclosure - We believe in it. SB> Charter: http://lists.netsys.com/full-disclosure-charter.html I think it's a typicall form of an XDCC-BoT. that means: they hacked your pc and installed a script from which the persons from the channel can get warez or moviez and so one from your pc. -- cu, JTBurn _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- wms.exe on win2k? Stephen Blass (Sep 27)
- <Possible follow-ups>
- Re: wms.exe on win2k? JTBurn (Sep 27)
- Re: wms.exe on win2k? S G Masood (Sep 27)
- Re: wms.exe on win2k? David (Sep 27)
- Re: wms.exe on win2k? S G Masood (Sep 27)