Security Incidents mailing list archives
Re: New Trojan????
From: "Erick B." <erickbe () yahoo com>
Date: Tue, 31 Oct 2000 15:44:25 -0800
temp.scr appears to be a ASCII file of IRC nicknames that MIRC (irc program) uses for data in query's. temp2.exe is a window hiding program. mirc.ini calls it with command line options that prevent it from displaying anything (possibly when it is messaging the people in the temp2.scr file). I didn't look through all the Mirc.INI files to see exactly whats going on here however. HTH, Erick --- Dave Woods <dave () TECHWEAVERS NET> wrote:
One of our computers here recently became infected with something I have never seen before. When the computer starts up (winME) it opens up 2 copies of the FreeExtractor prog that exctracts the following files: mirc.ini mirc2.ini mirc3.ini pri.ini 20139.txt gates.txt temp.exe temp2.exe whvlxd.dat temp.scr gates.txt contains a lot of ip's / domains in it that look to be possibly infected hosts that this "program" is creating as some of them are isp accounts ie port200.hs.ip.com temp.scr does not run (says not a valid win32 app)
__________________________________________________ Do You Yahoo!?
From homework help to love advice, Yahoo! Experts has your answer.
http://experts.yahoo.com/
Current thread:
- New Trojan???? Dave Woods (Nov 01)
- Re: New Trojan???? TJ Jablonowski (Nov 02)
- Re: New Trojan???? David Knaack (Nov 02)
- Re: New Trojan???? Nexus (Nov 02)
- Re: New Trojan???? Andrew McCall (Nov 02)
- <Possible follow-ups>
- Re: New Trojan???? Mike Oxbig (Nov 02)
- Re: New Trojan???? Erick B. (Nov 02)
- Re: New Trojan???? Mike Oxbig (Nov 05)
- Re: New Trojan???? wait3r (Nov 05)