Re: W2K Compromise - PipeCmdSrv

[H C <keydet89 () yahoo com>]

Two quick questions:

1.  What does this have to do w/ PipeCmdSrv?

2.  If at one point you say, "Obviously it had came
from downloading the chinese language pack, but was it
a MyIE program or did i have a bootlegged program"
(what's a "bootlegged" program, BTW??), then why do
you follow it by saying, "just wanted to let you know
that in this instance I think the MyIE was how it came
to rest on 
my machine"?  Which is it?



--- sfuston () blomand net wrote:
> In-Reply-To:
> <20021004233810.16182.qmail () mail securityfocus com>
>
> Ok, well i dont usually do this, post any info ive
> collected but I am 
> tryin to find information back as well. I too had an
> experience with the 
> PipeCmdSvr, and im still not sure exactly how it
> came on my machine. I am 
> running win2k Pro.
>
> I downloaded this program called MYIE, an overlay
> for the IE web browser. 
> During some of my searches I kept getting chinese
> web sites in my tabs. I 
> was just playing around with some of the settings
> and when i clicked on 
> the Resource button a prompt came up that said "some
> sites may not work 
> well without the chinese language pack installed"
> "Do you want to install 
> the chinese language pack" . Well I did. I know I
> know, are you crazy man? 
> lol At any rate, it proceeded to install something.
> Then I got a message 
> from win2k saying that some files would be over
> written , did i want to 
> continue. Well obviously I responded no, but it
> would not let me click no, 
> the only way to gain access again to my desktop was
> to click yes, which i 
> did. When my machine rebooted, it was much much
> slower than it had been. 
> Subsequent reboots had this litte mirc window coming
> up on reboot, and 
> while I had used mirc in the past, I had not
> reloaded since I had done a 
> new install of Win2k.  Thats what got me interested
> , so I looked in Task 
> Manager to see what was running, and thats when i
> ran across the 
> Explored.exe program running. Now I am no programmer
> or a Windows guru , 
> but in 8 years of using windows software Im no
> novice either. That threw 
> up a flag so i investigated farther. In doing a
> search for Explored.exe 
> online I came up with the
> http://golcor.tripod.com/gtbot.htm site, and I 
> was able to determine what i had, a trojan no less.
> Now I wanted to know 
> how and where I got it. Obviously it had came from
> downloading the chinese 
> language pack, but was it a MyIE program or did i
> have a bootlegged 
> program. Well to make this long story short, I
> looked for other MyIE 
> download sites and found one that I deemed to be
> safe and installed it. I 
> cant get this one to ask me for the chinese language
> pack download, so i 
> can only assume that I had gotten a hacked program
> to start with. Also the 
> MyIE executable on the bogus file was 750k and on
> the last one i installed 
> it was only 450 k. I am assuming thats how I got it.
> I did have a mirror 
> that I made a week ago so just to be safe I put that
> back on after 
> renaming all the infected files and moving them into
> a folder on another 
> drive. 
>
> I still wanted to investigate further, so I started
> looking inside some of 
> the mirc files that goes along with this trojan.
> From some of the 
> information gathered I found a "report to "
> location. Dalnet. Channel 
> #Iamowned. I went there and there were about 12
> nicks in the room with the 
> Owned(#####) nicks , im guessing bots.
>
> When I reinstalled my mirror, I put Zone Alarm back
> on as I have a static 
> ip and was a tad worried that someone had my ip
> number. Over the next 
> couple of hours I got repeated hits (more than 30)
> from a site 
> 66.28.140.212, each time at differnt ports including
> telnet. In looking 
> this up I found that this ip was registered to
> Cogent Communications. Not 
> sure how Im going to proceed from here. This is the
> first time Ive been 
> hacked in 9 years online. 
>
> Im sure this trojan can be enabled in other ways,
> but just wanted to let 
> you know that in this instance I think the MyIE was
> how it came to rest on 
> my machine. Unless I have some big problems with it,
> I am going to 
> continue to use this program as it is almost an
> identical user interface 
> as opera but using the IE web browser shell. 
>
> I did save all the files that was a part of the
> trojan program after 
> renaming the extensions, and if anyone would like to
> have one or all of 
> them I would be happy to send them on. 
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com