Vulnerability Development mailing list archives
RE: Suspicious JOe.exe
From: "Petruzel, Oliver" <OliverP () aegisresearch com>
Date: Fri, 3 Aug 2001 15:18:11 -0400
actually, -i think-, that the operator made it invite only in order to make the trojan disfunctional... i believe same solution was used for #kaiten and #knight oliver p.
-----Original Message----- From: OblivionO () aol com [mailto:OblivionO () aol com] Sent: Friday, August 03, 2001 2:38 PM To: vuln-dev () securityfocus com Subject: Re: Suspicious JOe.exe I ran a hex editor on a copy of Joe.exe that was sent to me and although i found most of the same information as the strings command, i was unable to find the request of invite. Upon entering the iRC network that joe.exe is connecting to i tried to enter channel "#penr0x". It is invite only, whcih leads me to believe that when the zombie connects to irc it sends a request to a bot or botnetwork with a specific phrase, ordering the botnet to invite it to #penr0x.... My question is where would this phrase/nick be located in the file? i cant seem to find it although it seems to me that it should be in plain text... ~ Chris
Current thread:
- RE: Suspicious joe.exe, (continued)
- RE: Suspicious joe.exe Petruzel, Oliver (Aug 02)
- RE: Suspicious joe.exe Reb (Aug 02)
- RE: Suspicious joe.exe Mark L'Italien (Aug 02)
- RE: Suspicious joe.exe Bo Stark (Aug 02)
- Re[2]: Suspicious joe.exe Greg Wirth (Aug 03)
- RE: Suspicious joe.exe Mark L'Italien (Aug 02)
- RE: Suspicious joe.exe Haul (Aug 02)
- Re: Suspicious JOe.exe OblivionO (Aug 03)
- Re: Suspicious JOe.exe Tony Lambiris (Aug 03)
- Re: Suspicious JOe.exe oktal (Aug 03)
- Re: Suspicious JOe.exe Sould3mon (Aug 03)
- RE: Suspicious JOe.exe Petruzel, Oliver (Aug 03)
- Re: Suspicious joe.exe sea urchin attacks (Aug 05)
- Re: Suspicious JOE.EXE Roy Wilson (Aug 05)