Full Disclosure mailing list archives

Re: wms.exe on win2k?

From: David <ph1 () cogeco ca>
Date: Sat, 27 Sep 2003 10:37:49 -0400

S G Masood wrote:

--- JTBurn <jtburn () gmx net> wrote:

I think it's a typicall form of an XDCC-BoT.
that means: they hacked your pc and installed
a script from which the persons from the channel
can get warez or moviez and so one from your
pc.


--
cu,
JTBurn



Hello,

I think you are right. In the irc servers mentioned in
the original post, there is a warez trading channel
called "#isozone" and as the original poster

Actually it's #iso-zone and I think their control channel was #okie assomeone mentioned before. #okie looks like it was closed down (only 2people left in it, looks like some were moved to #test0r) and #iso-zonelooks like they are having a lack of warez sharing bots.


10:36 [ctcp([iZ]-iSo-ZonE0074)] VERSION
10:36 CTCP VERSION reply from [iZ]-iSo-ZonE0074: Xans XDCC Bot 0.51

Here is a quick scan of some infected machines (if these are the same bots).

10:32 *** * [iZ]-iSo-ZonE0043 H 3~isozone () 1D1633A0 8BD6C1A0 186AA253 IP "IsoZone"10:32 *** * [iZ]-iSo-ZonE0004 H 3~isozone () Elite-2CA6A92 wma east verizon net "IsoZone"10:32 *** #test0r [iZ]-iSo-ZonE0001 H 3~isozone () 21749622 62BF52C7 6CBC51B0 IP "IsoZone"10:32 *** #test0r [iZ]-iSo-ZonE0011 H 3~isozone () 3370764D 6466F028 76139EF4 IP "IsoZone"10:32 *** #test0r [iZ]-iSo-ZonE0062 H 3~isozone () Elite-1E90FB7B dyn optonline net "IsoZone"10:32 *** * [iZ]-iSo-ZonE0086-OutOfOrder H 3~isozone () Elite-36E2AF65 cs vt edu "IsoZone"10:32 *** #test0r [iZ]-LeechMe-v2 H 3~isozone () Elite-3E773ADB jsums edu "IsoZone"10:32 *** * [iZ]-iSo-ZonE0056 H 3~isozone () Elite-2B697911 net msu edu "IsoZone"10:32 *** #test0r [iZ]-iSo-ZonE0007 H 0~isozone () Elite-10D6E224 NYCMNY83 covad net "IsoZone"10:32 *** #test0r [iZ]-iSo-ZonE0003 H 3~isozone () Elite-3FEB1964 ptr us xo net "IsoZone"

10:32 ***    #test0r [iZ]-iSo-ZonE0002 H   0

~isozone () Elite-8BAC739 cable ubr04 azte blueyonder co uk "IsoZone"

10:32 *** #test0r [iZ]-iSo-ZonE0025 H 1~isozone () 1BDF6D33 B6EBA014 2D8998D0 IP "IsoZone"10:32 *** * [iZ]-iSo-ZonE0064 H 3~isozone () Elite-12FE006B epfl ch "IsoZone"10:32 *** #test0r [iZ]-iSo-ZonE0010 H 3isozone () Elite-2E140BBC tampabay rr com "IsoZone"10:32 *** * [iZ]-iSo-ZonE-0100 H 3isozone () Elite-2E0B4C93 user msu edu "IsoZone"10:32 *** * [iZ]-iSo-ZonE0036 H 3~isozone () 252E1A 3CE391B8 6328E82 IP "IsoZone"10:32 *** * [iZ]-iSo-ZonE0068 H 3~isozone () 27160BD8 8BD6C1A0 186AA253 IP "IsoZone"10:32 *** #test0r [iZ]-iSo-ZonE0008 H 3isozone () Elite-3700B9B4 ed shawcable net "IsoZone"10:32 *** * [iZ]-iSo-ZonE0030 H 1isozone () Elite-1D36B517 dsl2 sentex ca "IsoZone"10:32 *** #test0r [iZ]-iSo-ZonE0009 H 3~isozone () Elite-3FA0FEDF SFLDMIDN covad net "IsoZone"10:32 *** * [iZ]-iSo-ZonE0021 H 3~isozone () Elite-3B51CBE4 towson01 md comcast net

                     "IsoZone"

10:32 *** * [iZ]-iSo-ZonE0031EU H 3isozone () Elite-3D4E6EEF fa g bonet se "IsoZone"10:32 *** * [iZ]-iSo-ZonE0032 H 3~isozone () 5B54164 8E1617C0 23C7EC13 IP "IsoZone"10:32 *** #iso-zone [iZ]-UtilServer H 0isozone () Elite-32A20A09 ed shawcable net "IsoZone"10:32 *** #iso-zone [iZ]-iSo-ZonE0027 H 3isozone () Elite-14A49E6D wmb emory edu "IsoZone"10:32 *** #iso-zone [iZ]-iSo-ZonE0074 H 0~isozone () Elite-3F426165 rollins emory edu "IsoZone"

10:32 *** End of /WHO list

mentioned, "the user name is IsoZone and the credit
line reads iSoZoNE WAS H3R3". So, your PC is being
used to serve illegal warez to people. Even though it
is not your fault, it can get you in trouble with the
law.

--
S.G.Masood

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

wms.exe on win2k? Stephen Blass (Sep 27)
- <Possible follow-ups>
- Re: wms.exe on win2k? JTBurn (Sep 27)
  - Re: wms.exe on win2k? S G Masood (Sep 27)
    - Re: wms.exe on win2k? David (Sep 27)