Anyone recognize what this one is?

Peter Van Epp vanepp at sfu.ca
Wed Aug 6 16:53:17 GMT 2003


	Anyone recognize what this may be? It was attempting to contact an 
IRC server on 208.185.81.233:6667 (unsuccessfully from here) when detected
on someone's laptop. Our Windows folks haven't been able to identify it with 
antivirus software or the various web sites to see if it may be cleanable and 
apparantly the owner isn't thrilled with the suggestion that they format and 
reinstall (what do you mean "backup"? ...). Looks to have been caught last 
Saturday or Sunday although it may not be new. Any pointers appreciated.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 	While this doesn't look like yours, the MO is similar enough that
> yours may be a varient.
> 

Yes, there is a TFTP application there, but that's about all that looks
similar.  For your unisog pals ...


The "services" that are installed are named

  Microsoft Critical System Processor  

and

  Microsoft DHCP Routing Client

and are run out of the directory listed below.


The root directory is stored in the Recycle bin, as in

  C:\Recycler\Some-long-SID\SYSTEM32

Contained in the root directory are 5 subdirectories and a bunch of
files.

In the root (system32) directory, here are the files ...
  
The DLLs are

fuck.dll
fuckaducker.dll
fuckaduckerfuck.dll
masters.dll
servers.dll

There are also several SYS files

file.sys
modules.sys
windll.sys

And the executables

dc.exe
destroy.exe
ftp.exe
grab.exe
id.exe
MSSVC.exe	( which is the "services" file )
nc.exe
pack.exe
sd.exe
services.exe
start.exe
svchost.exe
systray.exe

There is also a text file, in the sort of a banner.  The first line
reads

  Welcome to the #WaReZFoReVeR File Serving System


And finally an ini file, with one interesting line in it

n38=%installurl http://12.168.164.99/~powellt/install.exe


The subdirectories (and their files) are as follows

DCOMUP

	install.exe

FSYS

	{empty}

LOGS

	{empty}

MODULES

	7a69.dll
	bnc.dll
	drivenfo.dll
	fservcontrol.dll
	modules.dll
	nickserv.dll
	processes.dll
	pubcom.dll
	raw.dll
	scan.dll
	system.dll
	uptime.dll

SOUNDS

	{empty}



More information about the unisog mailing list