Vulnerability Development mailing list archives
RE: Suspicious joe.exe
From: "Petruzel, Oliver" <OliverP () aegisresearch com>
Date: Thu, 2 Aug 2001 11:23:33 -0400
Well, the kaiten.c DDoS comes to mind. it's an updated knight.c DoS that someone has simply renamed to joe when they compiled it...or maybe they added to it. basically, from what i know of it (which is admittedly very little since ive never seen it near me) is that you've been zombie-fied. for IRC DDoS. I also dont know the "cleaning" process offhand, but im sure symantec or someone has one since the source for kaiten.c is readily available everywhere. (packetstorm) do me a favor, plz analyze it with everything you can get your hands on. just to make sure "joe" didnt add to kaiten. I would check your logs and start from there... shouldnt be too hard since the box is 2 weeks old, right? If you need help analyzing the logs, ill help any way i can. we all will :) but you've most certainly been compromised = my guess. 1. is it a production box? internet facing? web server? what is it?... -oliver p.
-----Original Message----- From: Reb [mailto:reb () viametrix com] Sent: Thursday, August 02, 2001 1:22 AM To: VULN-DEV List Subject: Suspicious joe.exe Greetings all, While troubleshooting a problem with Win2k server doing a hard lock ( no response to keyboard/mouse) I happened upon the Run key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run\) and noticed that joe.exe was being started. Being that this box was no more than 2 weeks old I found this highly odd since it wasn't being loaded as a service and whatnot. So I'm done dealing with the 2k server hang for a bit and I start looking at this file. After I've googled and bugtraq'd my way around I can't find anything that mentions such a Trojan/virus. It seems to be some type of irc client that connects to 205.188.253.230 and joins #penr0x, which is +I. If asked I can gzip/zip up the file and send it to someone. If anyone has any insight to this I'd love to hear from you. Here's a bit of information on the exe. [reb@ reb]$ ls -al joe.exe -rw-r--r-- 1 reb reb 53248 Aug 1 17:58 joe.exe [reb@ reb]$ md5sum joe.exe 488c80ba0b2186a1ba52c4e69c590bc6 joe.exe Some of the more useful strings from `strings joe.exe` are: Microsoft Visual C++ Runtime Library Runtime Error! Program: <program name unknown> SunMonTueWedThuFriSat JanFebMarAprMayJunJulAugSepOctNovDec GetLastActivePopup GetActiveWindow MessageBoxA NICK VERSION KILL HELP PRIVMSG PING NOTICE %s :DNS <host> NOTICE %s :Resolving %s... NOTICE %s :Unable to resolve. NOTICE %s :Resolved to %s. NOTICE %s :GET <host> <save as> NOTICE %s :Unable to create socket. http:// NOTICE %s :Unable to resolve address. NOTICE %s :Unable to connect to http. GET /%s HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) Host: %s:80 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 NOTICE %s :Receiving file. NOTICE %s :Saved as %s NOTICE %s :Voyager Alpha Force: Age of Kaiten NOTICE %s :NICK <nick> NOTICE %s :Nick cannot be larger than 9 characters. NICK %s NOTICE %s :UDP <target> <secs> NOTICE %s :GET <http address> <save as> = Downloads a file off the web and saves it onto the hd NOTICE %s :NICK <nick> = Changes the nick of the knight NOTICE %s :DNS <host> = DNSs a host NOTICE %s :IRC <command> = Sends this command to the server NOTICE %s :KILL = Kills the knight NOTICE %s :VERSION = Requests version of knight NOTICE %s :HELP = Displays this IRC SYSTEM HIDE SHOW MODE %s -xi JOIN %s : WHO %s PONG %s SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ TaskReg #penr0x 205.188.253.230 NICK %s USER %s localhost localhost :%s ERROR Reb
Current thread:
- Suspicious joe.exe Reb (Aug 01)
- Re: Suspicious joe.exe Rikul (Aug 02)
- Re: Suspicious joe.exe Blake Frantz (Aug 02)
- Re: Suspicious joe.exe Felix Huber (Aug 02)
- Re: Suspicious joe.exe Josh Smith (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
- <Possible follow-ups>
- RE: Suspicious joe.exe Petruzel, Oliver (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
- RE: Suspicious joe.exe Mark L'Italien (Aug 02)
- RE: Suspicious joe.exe Bo Stark (Aug 02)
- Re[2]: Suspicious joe.exe Greg Wirth (Aug 03)
- RE: Suspicious joe.exe Mark L'Italien (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
- Re: Suspicious joe.exe Rikul (Aug 02)
- Re: Suspicious JOe.exe OblivionO (Aug 03)
- Re: Suspicious JOe.exe Tony Lambiris (Aug 03)
- Re: Suspicious JOe.exe oktal (Aug 03)
- Re: Suspicious JOe.exe Sould3mon (Aug 03)
- RE: Suspicious JOe.exe Petruzel, Oliver (Aug 03)