Vulnerability Development mailing list archives
Re: Suspicious JOe.exe
From: <oktal () gmx co uk>
Date: Fri, 3 Aug 2001 21:11:13 +0100
From: <OblivionO () aol com>
I ran a hex editor on a copy of Joe.exe that was sent to me and although i found most of the same information as the strings command, i was unable to find the request of invite. Upon entering the iRC network that joe.exe is connecting to i tried to enter channel "#penr0x". It is invite only, whcih leads me to believe that when the zombie connects to irc it sends a
request
to a bot or botnetwork with a specific phrase, ordering the botnet to
invite
it to #penr0x.... My question is where would this phrase/nick be located
in
the file? i cant seem to find it although it seems to me that it should be
in
plain text...
The channel is invite-only for this reason: From: Haul [mailto:Haul () Terrorists net] Sent: Thursday, August 02, 2001 2:12 AM ...Fortunately, ICQ has known about this for some time and restricted access to #penr0x more than two weeks ago...
Current thread:
- RE: Suspicious joe.exe, (continued)
- RE: Suspicious joe.exe Haul (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
- RE: Suspicious joe.exe Petruzel, Oliver (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
- RE: Suspicious joe.exe Mark L'Italien (Aug 02)
- RE: Suspicious joe.exe Bo Stark (Aug 02)
- Re[2]: Suspicious joe.exe Greg Wirth (Aug 03)
- RE: Suspicious joe.exe Mark L'Italien (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
- Re: Suspicious JOe.exe OblivionO (Aug 03)
- Re: Suspicious JOe.exe Tony Lambiris (Aug 03)
- Re: Suspicious JOe.exe oktal (Aug 03)
- Re: Suspicious JOe.exe Sould3mon (Aug 03)
- RE: Suspicious JOe.exe Petruzel, Oliver (Aug 03)
- Re: Suspicious joe.exe sea urchin attacks (Aug 05)
- Re: Suspicious JOE.EXE Roy Wilson (Aug 05)