Re: Suspicious JOE.EXE

["Roy Wilson" <rwilson9 () twcny rr com>]

        I've seen a lot here on it being an email attachment, I've
found such DDoS Zombie programs more likely to be executed on
workstations by auto-decryption of binary NewsGroup postings than any
other method.  The .binaries channels are loaded with them in all kinds
of flavors and varieties, usually a 55k .exe, but I've seen .com and
some macro/script variants as well.

        The newsgroup versions are usually a small exe which contacts a
server and downloads/installs the trojan in the background.  Usually in
either \windows or \windows\system.

        Almost all of them are kiddie modified versions of cBot, and
since "cBot" appears in 90% of the trojan exe's in clear text, it's not
a big deal to scan for and delete them.  Although Symantec hasn't
seemed to realize that yet, quite a few of them waltz right past their
AV software.  ZoneAlarm has yet to miss one that I've seen, either the
small preload or the full trojan.

        Not much I can do with the nets I administer to prevent access
to the most offending groups (binaries.erotica.xyz), as the nets *need*
NG access and I haven't found a way to prevent access to any groups
other than the approved ones short of setting up a private news server.





Roy Wilson  <Emperor_Wilson () email com> <WINS#6>

Numismatist?  <www.winsociety.ws>
PGP Key available from certserver.pgp.com or pgpkeys.mit.edu
Caesar si viveret, ad remum dareris