Re: New Trojan????

[TJ Jablonowski <t.jablonowski () MAIL-2-GO COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

   Not a expert on MIRC but this appears to be a DOS tool that uses
 MIRC scripts to logon,listen and execute commands. There appear to
 be DOS commands in mirc2.ini n112-n122.  The temp2.exe is a
 hidewindow program (probably to hide the mirc window). Temp.scr is
 actually a text file filed with handles(example below). From some
 parts of the scripts is appears to be Win9X/ME specific (references
 to c:\windows). However check the registery "run" keys for a startup
 to a self extractor; it drops files into c:\windows\inf\g\ and
 c:\windows\web32\. Somebody with more experience in MIRC can tell
 more that I can.

- ----part of temp.scr----
RaZeR
singh
spice
staryeyes
djcoby
ANETA
rhdskleklsakj
Taylor1



- -----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Dave Woods
Sent: Tuesday, October 31, 2000 14:29
To: INCIDENTS () SECURITYFOCUS COM
Subject: New Trojan????


One of our computers here recently became infected with something I
have
never seen before.

When the computer starts up (winME) it opens up 2 copies of the
FreeExtractor prog that exctracts the following files:
mirc.ini
mirc2.ini
mirc3.ini
pri.ini
20139.txt
gates.txt
temp.exe
temp2.exe
whvlxd.dat
temp.scr

gates.txt contains a lot of ip's / domains in it that look to be
possibly
infected hosts that this "program" is creating as some of them are
isp
accounts ie port200.hs.ip.com
temp.scr does not run (says not a valid win32 app)

I have attached the files in a zip with a password of pass101

If anyone has seen or knows what this is or how to remove it let me
know.

Sincerely,
David Woods
Techweavers Inc.
dave () techweavers net
www.techweavers.net
Phone: (780)-423-3952
Fax: (780)-432-3220


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOf9pfG+7g8loOAk5EQLY+gCgxGF8QyEvcDWbQnwxs7RyKXrXAEMAoODd
ky1q2esBjT6dx572xvEX9wsb
=SuCp
-----END PGP SIGNATURE-----