Security Incidents mailing list archives
Re: New Trojan????
From: TJ Jablonowski <t.jablonowski () MAIL-2-GO COM>
Date: Tue, 31 Oct 2000 19:54:32 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not a expert on MIRC but this appears to be a DOS tool that uses MIRC scripts to logon,listen and execute commands. There appear to be DOS commands in mirc2.ini n112-n122. The temp2.exe is a hidewindow program (probably to hide the mirc window). Temp.scr is actually a text file filed with handles(example below). From some parts of the scripts is appears to be Win9X/ME specific (references to c:\windows). However check the registery "run" keys for a startup to a self extractor; it drops files into c:\windows\inf\g\ and c:\windows\web32\. Somebody with more experience in MIRC can tell more that I can. - ----part of temp.scr---- RaZeR singh spice staryeyes djcoby ANETA rhdskleklsakj Taylor1 - -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Dave Woods Sent: Tuesday, October 31, 2000 14:29 To: INCIDENTS () SECURITYFOCUS COM Subject: New Trojan???? One of our computers here recently became infected with something I have never seen before. When the computer starts up (winME) it opens up 2 copies of the FreeExtractor prog that exctracts the following files: mirc.ini mirc2.ini mirc3.ini pri.ini 20139.txt gates.txt temp.exe temp2.exe whvlxd.dat temp.scr gates.txt contains a lot of ip's / domains in it that look to be possibly infected hosts that this "program" is creating as some of them are isp accounts ie port200.hs.ip.com temp.scr does not run (says not a valid win32 app) I have attached the files in a zip with a password of pass101 If anyone has seen or knows what this is or how to remove it let me know. Sincerely, David Woods Techweavers Inc. dave () techweavers net www.techweavers.net Phone: (780)-423-3952 Fax: (780)-432-3220 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOf9pfG+7g8loOAk5EQLY+gCgxGF8QyEvcDWbQnwxs7RyKXrXAEMAoODd ky1q2esBjT6dx572xvEX9wsb =SuCp -----END PGP SIGNATURE-----
Current thread:
- New Trojan???? Dave Woods (Nov 01)
- Re: New Trojan???? TJ Jablonowski (Nov 02)
- Re: New Trojan???? David Knaack (Nov 02)
- Re: New Trojan???? Nexus (Nov 02)
- Re: New Trojan???? Andrew McCall (Nov 02)
- <Possible follow-ups>
- Re: New Trojan???? Mike Oxbig (Nov 02)
- Re: New Trojan???? Erick B. (Nov 02)
- Re: New Trojan???? Mike Oxbig (Nov 05)
- Re: New Trojan???? wait3r (Nov 05)