Re: wms.exe on win2k?

[JTBurn <jtburn () gmx net>]

Hi Stephen,

Thursday, September 25, 2003, 11:53:44 PM, you wrote:

SB> Pardon me if this is old news and well known, but we are finding a WMS.exe on Win2k machines in both the WINNT and
SB> WINNT\system32 directories along with a WINNT\system32\nt directory full of
SB> installation and launching scripts plus IRC communication scripts.  

SB> Mcaffee and Norton have yet to identify it during a scan, but the WMS.exe program we have found is a port scanner
SB> that first tries to connect to fuel.pyroshells.com, dnsix.com, and (this is
SB> silly) 192.168.0.1 and beyond that I've not had time to analyze the little bugger yet other than to read the 
scripts.

SB> it uses a svcinst.exe to process a rtl386.sys containing instructions to connect to
SB> irc.elite-irc.net  6667
SB> crystal.elite-irc.net 7000
SB> darwin.elite-irc.net 6667
SB> killer.elite-irc.net 6667

SB> the user name is IsoZone and the credit line reads iSoZoNE WAS H3R3

SB> It installs files named 1MB.Test and 5MB.Test in %sysdir%\pk32 and sets up an admin password entry that looks like
SB> an MD5 hash.  We appear to be toast.

SB> So my question is whether someone out there knows what this is?




SB> _______________________________________________
SB> Full-Disclosure - We believe in it.
SB> Charter: http://lists.netsys.com/full-disclosure-charter.html

I think it's a typicall form of an XDCC-BoT.
that means: they hacked your pc and installed
a script from which the persons from the channel
can get warez or moviez and so one from your
pc.


-- 
 cu,
 JTBurn

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html