Vulnerability Development mailing list archives
Re: Suspicious joe.exe
From: Josh Smith <josh () viper falcon-networks com>
Date: Thu, 2 Aug 2001 02:22:21 -0400 (EDT)
About two weeks ago while investigating a user on a server we administrate we came across someone's stash. Included in it was tucanx.exe and kaiten.exe which are the same as the joe.exe you posted except the ones we found joined #tucanx and #kaitex. Along with that we found another program that is used to scan subnets looking for IIS servers vulnerable to the .printer overflow. After exploiting it the trojan tucanx.exe is uploaded to the server and they connect to irc.icq.com and join a specified irc channel. After a few days we were able to catch up to the only ircop on irc.icq.com and he shutdown all the channels by making them invite only, it was the best we could think to do. The main purpose of these botnets seems to be to launch distributed Denial of Service attacks. In addition, they can be used to create chaos on IRC. We sent the trojan and the scanner to EEYE. Thanks, Josh & lockdown
Current thread:
- Suspicious joe.exe Reb (Aug 01)
- Re: Suspicious joe.exe Rikul (Aug 02)
- Re: Suspicious joe.exe Blake Frantz (Aug 02)
- Re: Suspicious joe.exe Felix Huber (Aug 02)
- Re: Suspicious joe.exe Josh Smith (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
- <Possible follow-ups>
- RE: Suspicious joe.exe Petruzel, Oliver (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
- RE: Suspicious joe.exe Mark L'Italien (Aug 02)
- RE: Suspicious joe.exe Bo Stark (Aug 02)
- Re[2]: Suspicious joe.exe Greg Wirth (Aug 03)
- RE: Suspicious joe.exe Mark L'Italien (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
- Re: Suspicious joe.exe Rikul (Aug 02)
- Re: Suspicious JOe.exe OblivionO (Aug 03)
- Re: Suspicious JOe.exe Tony Lambiris (Aug 03)