Vulnerability Development mailing list archives
Re: Suspicious joe.exe
From: "Felix Huber" <huberfelix () webtopia de>
Date: Thu, 2 Aug 2001 16:30:19 +0200
Hi Reb, i am pretty sure that this is a IRC Backdoor / Zombie. Could be used for DDoS Attacks and other bad things. You should delete the registry entry - but don't forget to look for other entries (Autostart, *.ini,...etc). And what is also very important: find the security hole the Intruder used (Unicode, IDA,...etc). Regards, Felix Huber ------------------------------------------------------- Felix Huber, Security Consultant, Webtopia Guendlinger Str.2, 79241 Ihringen - Germany huberfelix () webtopia de (07668) 951 156 (phone) http://www.webtopia.de (07668) 951 157 (fax) (01792) 205 724 (mobile) -------------------------------------------------------
Greetings all, While troubleshooting a problem with Win2k server doing a hard lock ( no response to keyboard/mouse) I happened upon the Run key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run\) and noticed that joe.exe was being started. Being that this box was no more than 2 weeks old I
found
this highly odd since it wasn't being loaded as a service and whatnot. So I'm done dealing with the 2k server hang for a bit and I start looking at this file. After I've googled and bugtraq'd my way around I can't find anything that mentions such a Trojan/virus. It seems to be some type of
irc
client that connects to 205.188.253.230 and joins #penr0x, which is +I.
If
asked I can gzip/zip up the file and send it to someone. If anyone has
any
insight to this I'd love to hear from you. Here's a bit of information on the exe. [reb@ reb]$ ls -al joe.exe -rw-r--r-- 1 reb reb 53248 Aug 1 17:58 joe.exe [reb@ reb]$ md5sum joe.exe 488c80ba0b2186a1ba52c4e69c590bc6 joe.exe Some of the more useful strings from `strings joe.exe` are: Microsoft Visual C++ Runtime Library Runtime Error! Program: <program name unknown> SunMonTueWedThuFriSat JanFebMarAprMayJunJulAugSepOctNovDec GetLastActivePopup GetActiveWindow MessageBoxA NICK VERSION KILL HELP PRIVMSG PING NOTICE %s :DNS <host> NOTICE %s :Resolving %s... NOTICE %s :Unable to resolve. NOTICE %s :Resolved to %s. NOTICE %s :GET <host> <save as> NOTICE %s :Unable to create socket. http:// NOTICE %s :Unable to resolve address. NOTICE %s :Unable to connect to http. GET /%s HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) Host: %s:80 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png,
*/*
Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 NOTICE %s :Receiving file. NOTICE %s :Saved as %s NOTICE %s :Voyager Alpha Force: Age of Kaiten NOTICE %s :NICK <nick> NOTICE %s :Nick cannot be larger than 9 characters. NICK %s NOTICE %s :UDP <target> <secs> NOTICE %s :GET <http address> <save as> = Downloads a file off the web and saves it onto the hd NOTICE %s :NICK <nick> = Changes the nick of the knight NOTICE %s :DNS <host> = DNSs a host NOTICE %s :IRC <command> = Sends this command to the server NOTICE %s :KILL = Kills the knight NOTICE %s :VERSION = Requests version of knight NOTICE %s :HELP = Displays this IRC SYSTEM HIDE SHOW MODE %s -xi JOIN %s : WHO %s PONG %s SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ TaskReg #penr0x 205.188.253.230 NICK %s USER %s localhost localhost :%s ERROR Reb
Current thread:
- Suspicious joe.exe Reb (Aug 01)
- Re: Suspicious joe.exe Rikul (Aug 02)
- Re: Suspicious joe.exe Blake Frantz (Aug 02)
- Re: Suspicious joe.exe Felix Huber (Aug 02)
- Re: Suspicious joe.exe Josh Smith (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
- <Possible follow-ups>
- RE: Suspicious joe.exe Petruzel, Oliver (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
- RE: Suspicious joe.exe Mark L'Italien (Aug 02)
- RE: Suspicious joe.exe Bo Stark (Aug 02)
- Re[2]: Suspicious joe.exe Greg Wirth (Aug 03)
- RE: Suspicious joe.exe Mark L'Italien (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
- Re: Suspicious joe.exe Rikul (Aug 02)
- Re: Suspicious JOe.exe OblivionO (Aug 03)