Vulnerability Development mailing list archives

Re: Suspicious joe.exe

From: Josh Smith <josh () viper falcon-networks com>
Date: Thu, 2 Aug 2001 02:22:21 -0400 (EDT)

        About two weeks ago while investigating a user on a server
we administrate we came across someone's stash.  Included in it was
tucanx.exe and kaiten.exe which are the same as the joe.exe you posted
except the ones we found joined #tucanx and #kaitex.
        Along with that we found another program that is used to
scan subnets looking for IIS servers vulnerable to the .printer overflow.
After exploiting it the trojan tucanx.exe is uploaded to the server and
they connect to irc.icq.com and join a specified irc channel.
        After a few days we were able to catch up to the only
ircop on irc.icq.com and he shutdown all the channels by making them
invite only, it was the best we could think to do.
        The main purpose of these botnets seems to be to launch
distributed Denial of Service attacks.  In addition, they can be used to
create chaos on IRC.
        We sent the trojan and the scanner to EEYE.
                                                        Thanks,
                                                        Josh & lockdown

Current thread:

Suspicious joe.exe Reb (Aug 01)
- Re: Suspicious joe.exe Rikul (Aug 02)
  - Re: Suspicious joe.exe Blake Frantz (Aug 02)
- Re: Suspicious joe.exe Felix Huber (Aug 02)
- Re: Suspicious joe.exe Josh Smith (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
  - RE: Suspicious joe.exe Reb (Aug 02)
- <Possible follow-ups>
- RE: Suspicious joe.exe Petruzel, Oliver (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
  - RE: Suspicious joe.exe Mark L'Italien (Aug 02)
    - RE: Suspicious joe.exe Bo Stark (Aug 02)
    - Re[2]: Suspicious joe.exe Greg Wirth (Aug 03)
  - RE: Suspicious joe.exe Haul (Aug 02)
- Re: Suspicious JOe.exe OblivionO (Aug 03)
  - Re: Suspicious JOe.exe Tony Lambiris (Aug 03)

(Thread continues...)