Re: Win 95 Question- Sounds like a butplug for orifice

[dpavone () APCC COM (Dave Pavone)]

The machine may be infected with back orifice. There is a butplug (plug in)
for back orifice which connects the infected machine to IRC and posts it's
IP address into the channel. This way crackers can sit in the channel and
wait for compromised computers to announce themselves by posting their IP
address. There are probably other Trojans that do this as well. I would
remove those machines from the network and reinstall the OS, it sounds like
a Trojan has found it's way on to them.

Good Luck,
Dave Pavone

Please respond to Eric Miawald <emaiwald () FRED NET>

To:   INCIDENTS () SECURITYFOCUS COM
cc:    (bcc: David Pavone/CORP/NAM/APCC)
From: Eric Miawald <emaiwald () FRED NET> on 02/21/2000 07:14 PM
Subject:  Win 95 Question

Got a question from a friend that sounded familiar but I could not
quite place it.

He has a few win 95 boxes that try to connect to some IRC chat rooms
when they boot.  He can't seem to find the process that is doing this.
I thought it sounded something like Ring Zero but not quite.  Anyone
else seen this?

Eric

---------------------------------------------------------------------
Eric Maiwald                                        emaiwald () fred net
So Many Hobbies, So little time
---------------------------------------------------------------------