Vulnerability Development mailing list archives

Re: Suspicious JOe.exe

From: OblivionO () aol com
Date: Fri, 3 Aug 2001 14:37:41 EDT

I ran a hex editor on a copy of Joe.exe that was sent to me and although i 
found most of the same information as the strings command, i was unable to 
find the request of invite. Upon entering the iRC network that joe.exe is 
connecting to i tried to enter channel "#penr0x". It is invite only, whcih 
leads me to believe that when the zombie connects to irc it sends a request 
to a bot or botnetwork with a specific phrase, ordering the botnet to invite 
it to #penr0x.... My question is where would this phrase/nick be located in 
the file? i cant seem to find it although it seems to me that it should be in 
plain text...

 ~ Chris

Current thread:

Re: Suspicious joe.exe, (continued)
- Re: Suspicious joe.exe Felix Huber (Aug 02)
- Re: Suspicious joe.exe Josh Smith (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
  - RE: Suspicious joe.exe Reb (Aug 02)
- RE: Suspicious joe.exe Petruzel, Oliver (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
  - RE: Suspicious joe.exe Mark L'Italien (Aug 02)
    - RE: Suspicious joe.exe Bo Stark (Aug 02)
    - Re[2]: Suspicious joe.exe Greg Wirth (Aug 03)
  - RE: Suspicious joe.exe Haul (Aug 02)
- Re: Suspicious JOe.exe OblivionO (Aug 03)
  - Re: Suspicious JOe.exe Tony Lambiris (Aug 03)
  - Re: Suspicious JOe.exe oktal (Aug 03)
    - Re: Suspicious JOe.exe Sould3mon (Aug 03)
- RE: Suspicious JOe.exe Petruzel, Oliver (Aug 03)
- Re: Suspicious joe.exe sea urchin attacks (Aug 05)
- Re: Suspicious JOE.EXE Roy Wilson (Aug 05)