Anyone recognize what this one is?
Peter Van Epp
vanepp at sfu.ca
Wed Aug 6 16:53:17 GMT 2003
Anyone recognize what this may be? It was attempting to contact an
IRC server on 220.127.116.11:6667 (unsuccessfully from here) when detected
on someone's laptop. Our Windows folks haven't been able to identify it with
antivirus software or the various web sites to see if it may be cleanable and
apparantly the owner isn't thrilled with the suggestion that they format and
reinstall (what do you mean "backup"? ...). Looks to have been caught last
Saturday or Sunday although it may not be new. Any pointers appreciated.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
> While this doesn't look like yours, the MO is similar enough that
> yours may be a varient.
Yes, there is a TFTP application there, but that's about all that looks
similar. For your unisog pals ...
The "services" that are installed are named
Microsoft Critical System Processor
Microsoft DHCP Routing Client
and are run out of the directory listed below.
The root directory is stored in the Recycle bin, as in
Contained in the root directory are 5 subdirectories and a bunch of
In the root (system32) directory, here are the files ...
The DLLs are
There are also several SYS files
And the executables
MSSVC.exe ( which is the "services" file )
There is also a text file, in the sort of a banner. The first line
Welcome to the #WaReZFoReVeR File Serving System
And finally an ini file, with one interesting line in it
The subdirectories (and their files) are as follows
More information about the unisog