Re: W2K Compromise - PipeCmdSrv

[<sfuston () blomand net>]

In-Reply-To: <20021004233810.16182.qmail () mail securityfocus com>

Ok, well i dont usually do this, post any info ive collected but I am 
tryin to find information back as well. I too had an experience with the 
PipeCmdSvr, and im still not sure exactly how it came on my machine. I am 
running win2k Pro.

I downloaded this program called MYIE, an overlay for the IE web browser. 
During some of my searches I kept getting chinese web sites in my tabs. I 
was just playing around with some of the settings and when i clicked on 
the Resource button a prompt came up that said "some sites may not work 
well without the chinese language pack installed" "Do you want to install 
the chinese language pack" . Well I did. I know I know, are you crazy man? 
lol At any rate, it proceeded to install something. Then I got a message 
from win2k saying that some files would be over written , did i want to 
continue. Well obviously I responded no, but it would not let me click no, 
the only way to gain access again to my desktop was to click yes, which i 
did. When my machine rebooted, it was much much slower than it had been. 
Subsequent reboots had this litte mirc window coming up on reboot, and 
while I had used mirc in the past, I had not reloaded since I had done a 
new install of Win2k.  Thats what got me interested , so I looked in Task 
Manager to see what was running, and thats when i ran across the 
Explored.exe program running. Now I am no programmer or a Windows guru , 
but in 8 years of using windows software Im no novice either. That threw 
up a flag so i investigated farther. In doing a search for Explored.exe 
online I came up with the http://golcor.tripod.com/gtbot.htm site, and I 
was able to determine what i had, a trojan no less. Now I wanted to know 
how and where I got it. Obviously it had came from downloading the chinese 
language pack, but was it a MyIE program or did i have a bootlegged 
program. Well to make this long story short, I looked for other MyIE 
download sites and found one that I deemed to be safe and installed it. I 
cant get this one to ask me for the chinese language pack download, so i 
can only assume that I had gotten a hacked program to start with. Also the 
MyIE executable on the bogus file was 750k and on the last one i installed 
it was only 450 k. I am assuming thats how I got it. I did have a mirror 
that I made a week ago so just to be safe I put that back on after 
renaming all the infected files and moving them into a folder on another 
drive. 

I still wanted to investigate further, so I started looking inside some of 
the mirc files that goes along with this trojan. From some of the 
information gathered I found a "report to " location. Dalnet. Channel 
#Iamowned. I went there and there were about 12 nicks in the room with the 
Owned(#####) nicks , im guessing bots.

When I reinstalled my mirror, I put Zone Alarm back on as I have a static 
ip and was a tad worried that someone had my ip number. Over the next 
couple of hours I got repeated hits (more than 30) from a site 
66.28.140.212, each time at differnt ports including telnet. In looking 
this up I found that this ip was registered to Cogent Communications. Not 
sure how Im going to proceed from here. This is the first time Ive been 
hacked in 9 years online. 

Im sure this trojan can be enabled in other ways, but just wanted to let 
you know that in this instance I think the MyIE was how it came to rest on 
my machine. Unless I have some big problems with it, I am going to 
continue to use this program as it is almost an identical user interface 
as opera but using the IE web browser shell. 

I did save all the files that was a part of the trojan program after 
renaming the extensions, and if anyone would like to have one or all of 
them I would be happy to send them on. 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com