Re: New Trojan????

[Andrew McCall <amccall () MEDECAL COM>]

Dave,

    Looks like a copy of mIRC. The ini files are some scripts for cloning
and channel war things. The temp2.exe looks like an app for hiding windows.
So I'd say off hand, not having a copy of temp.exe in the zip that temp.exe
would be a copy of the mirc.exe executable. The gates.txt is a list of
wingate / proxy hosts for cloning the client. 20139.txt I dont know could be
a list botnet/clonenet hubs or something similar. temp.src is a text file
full of nicknames. I haven't give much time to the scripts but from a glance
it looks like the client sets it's self up as a war bot. Then the temp2.exe
hides the mirc window so that you never know that it's running on your
computer. It has all the standard commands you'd expect in a bot script,
floods and the like, that can be accessed remotely by the 'bot master'.
Removing it should be as simple as deleting it.

Cheers,
Andrew McCall

on 31/10/00 7:28 pm, Dave Woods at dave () TECHWEAVERS NET wrote:

> One of our computers here recently became infected with something I have
> never seen before.
>
> When the computer starts up (winME) it opens up 2 copies of the
> FreeExtractor prog that exctracts the following files:
> mirc.ini
> mirc2.ini
> mirc3.ini
> pri.ini
> 20139.txt
> gates.txt
> temp.exe
> temp2.exe
> whvlxd.dat
> temp.scr
>
> gates.txt contains a lot of ip's / domains in it that look to be possibly
> infected hosts that this "program" is creating as some of them are isp
> accounts ie port200.hs.ip.com
> temp.scr does not run (says not a valid win32 app)
>
> I have attached the files in a zip with a password of pass101
>
> If anyone has seen or knows what this is or how to remove it let me know.
>
> Sincerely,
> David Woods
> Techweavers Inc.
> dave () techweavers net
> www.techweavers.net
> Phone: (780)-423-3952
> Fax: (780)-432-3220