Full Disclosure mailing list archives
Re: wms.exe on win2k?
From: David <ph1 () cogeco ca>
Date: Sat, 27 Sep 2003 10:37:49 -0400
S G Masood wrote:
--- JTBurn <jtburn () gmx net> wrote:I think it's a typicall form of an XDCC-BoT. that means: they hacked your pc and installed a script from which the persons from the channel can get warez or moviez and so one from your pc. -- cu, JTBurnHello, I think you are right. In the irc servers mentioned in the original post, there is a warez trading channel called "#isozone" and as the original poster
Actually it's #iso-zone and I think their control channel was #okie as someone mentioned before. #okie looks like it was closed down (only 2 people left in it, looks like some were moved to #test0r) and #iso-zone looks like they are having a lack of warez sharing bots.
10:36 [ctcp([iZ]-iSo-ZonE0074)] VERSION 10:36 CTCP VERSION reply from [iZ]-iSo-ZonE0074: Xans XDCC Bot 0.51 Here is a quick scan of some infected machines (if these are the same bots).10:32 *** * [iZ]-iSo-ZonE0043 H 3 ~isozone () 1D1633A0 8BD6C1A0 186AA253 IP "IsoZone" 10:32 *** * [iZ]-iSo-ZonE0004 H 3 ~isozone () Elite-2CA6A92 wma east verizon net "IsoZone" 10:32 *** #test0r [iZ]-iSo-ZonE0001 H 3 ~isozone () 21749622 62BF52C7 6CBC51B0 IP "IsoZone" 10:32 *** #test0r [iZ]-iSo-ZonE0011 H 3 ~isozone () 3370764D 6466F028 76139EF4 IP "IsoZone" 10:32 *** #test0r [iZ]-iSo-ZonE0062 H 3 ~isozone () Elite-1E90FB7B dyn optonline net "IsoZone" 10:32 *** * [iZ]-iSo-ZonE0086-OutOfOrder H 3 ~isozone () Elite-36E2AF65 cs vt edu "IsoZone" 10:32 *** #test0r [iZ]-LeechMe-v2 H 3 ~isozone () Elite-3E773ADB jsums edu "IsoZone" 10:32 *** * [iZ]-iSo-ZonE0056 H 3 ~isozone () Elite-2B697911 net msu edu "IsoZone" 10:32 *** #test0r [iZ]-iSo-ZonE0007 H 0 ~isozone () Elite-10D6E224 NYCMNY83 covad net "IsoZone" 10:32 *** #test0r [iZ]-iSo-ZonE0003 H 3 ~isozone () Elite-3FEB1964 ptr us xo net "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0002 H 0 ~isozone () Elite-8BAC739 cable ubr04 azte blueyonder co uk "IsoZone"10:32 *** #test0r [iZ]-iSo-ZonE0025 H 1 ~isozone () 1BDF6D33 B6EBA014 2D8998D0 IP "IsoZone" 10:32 *** * [iZ]-iSo-ZonE0064 H 3 ~isozone () Elite-12FE006B epfl ch "IsoZone" 10:32 *** #test0r [iZ]-iSo-ZonE0010 H 3 isozone () Elite-2E140BBC tampabay rr com "IsoZone" 10:32 *** * [iZ]-iSo-ZonE-0100 H 3 isozone () Elite-2E0B4C93 user msu edu "IsoZone" 10:32 *** * [iZ]-iSo-ZonE0036 H 3 ~isozone () 252E1A 3CE391B8 6328E82 IP "IsoZone" 10:32 *** * [iZ]-iSo-ZonE0068 H 3 ~isozone () 27160BD8 8BD6C1A0 186AA253 IP "IsoZone" 10:32 *** #test0r [iZ]-iSo-ZonE0008 H 3 isozone () Elite-3700B9B4 ed shawcable net "IsoZone" 10:32 *** * [iZ]-iSo-ZonE0030 H 1 isozone () Elite-1D36B517 dsl2 sentex ca "IsoZone" 10:32 *** #test0r [iZ]-iSo-ZonE0009 H 3 ~isozone () Elite-3FA0FEDF SFLDMIDN covad net "IsoZone" 10:32 *** * [iZ]-iSo-ZonE0021 H 3 ~isozone () Elite-3B51CBE4 towson01 md comcast net
"IsoZone"10:32 *** * [iZ]-iSo-ZonE0031EU H 3 isozone () Elite-3D4E6EEF fa g bonet se "IsoZone" 10:32 *** * [iZ]-iSo-ZonE0032 H 3 ~isozone () 5B54164 8E1617C0 23C7EC13 IP "IsoZone" 10:32 *** #iso-zone [iZ]-UtilServer H 0 isozone () Elite-32A20A09 ed shawcable net "IsoZone" 10:32 *** #iso-zone [iZ]-iSo-ZonE0027 H 3 isozone () Elite-14A49E6D wmb emory edu "IsoZone" 10:32 *** #iso-zone [iZ]-iSo-ZonE0074 H 0 ~isozone () Elite-3F426165 rollins emory edu "IsoZone"
10:32 *** End of /WHO list
mentioned, "the user name is IsoZone and the credit line reads iSoZoNE WAS H3R3". So, your PC is being used to serve illegal warez to people. Even though it is not your fault, it can get you in trouble with the law. -- S.G.Masood __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- wms.exe on win2k? Stephen Blass (Sep 27)
- <Possible follow-ups>
- Re: wms.exe on win2k? JTBurn (Sep 27)
- Re: wms.exe on win2k? S G Masood (Sep 27)
- Re: wms.exe on win2k? David (Sep 27)
- Re: wms.exe on win2k? S G Masood (Sep 27)