[unisog] Anyone recognize what this one is?

H. Morrow Long morrow.long at yale.edu
Wed Aug 6 17:29:37 GMT 2003


Looks like one of the Windows-based variants of an IRC
proxy (like bnc) which has an FSERV file server built
into it.

Bet the laptop PC was compromised via the DCOM RPC BO exploit.

Morrow

Peter Van Epp wrote:

> 	Anyone recognize what this may be? It was attempting to contact an 
> IRC server on 208.185.81.233:6667 (unsuccessfully from here) when detected
> on someone's laptop. Our Windows folks haven't been able to identify it with 
> antivirus software or the various web sites to see if it may be cleanable and 
> apparantly the owner isn't thrilled with the suggestion that they format and 
> reinstall (what do you mean "backup"? ...). Looks to have been caught last 
> Saturday or Sunday although it may not be new. Any pointers appreciated.
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> 
>>	While this doesn't look like yours, the MO is similar enough that
>>yours may be a varient.
>>
> 
> 
> Yes, there is a TFTP application there, but that's about all that looks
> similar.  For your unisog pals ...
> 
> 
> The "services" that are installed are named
> 
>   Microsoft Critical System Processor  
> 
> and
> 
>   Microsoft DHCP Routing Client
> 
> and are run out of the directory listed below.
> 
> 
> The root directory is stored in the Recycle bin, as in
> 
>   C:\Recycler\Some-long-SID\SYSTEM32
> 
> Contained in the root directory are 5 subdirectories and a bunch of
> files.
> 
> In the root (system32) directory, here are the files ...
>   
> The DLLs are
> 
> fuck.dll
> fuckaducker.dll
> fuckaduckerfuck.dll
> masters.dll
> servers.dll
> 
> There are also several SYS files
> 
> file.sys
> modules.sys
> windll.sys
> 
> And the executables
> 
> dc.exe
> destroy.exe
> ftp.exe
> grab.exe
> id.exe
> MSSVC.exe	( which is the "services" file )
> nc.exe
> pack.exe
> sd.exe
> services.exe
> start.exe
> svchost.exe
> systray.exe
> 
> There is also a text file, in the sort of a banner.  The first line
> reads
> 
>   Welcome to the #WaReZFoReVeR File Serving System
> 
> 
> And finally an ini file, with one interesting line in it
> 
> n38=%installurl http://12.168.164.99/~powellt/install.exe
> 
> 
> The subdirectories (and their files) are as follows
> 
> DCOMUP
> 
> 	install.exe
> 
> FSYS
> 
> 	{empty}
> 
> LOGS
> 
> 	{empty}
> 
> MODULES
> 
> 	7a69.dll
> 	bnc.dll
> 	drivenfo.dll
> 	fservcontrol.dll
> 	modules.dll
> 	nickserv.dll
> 	processes.dll
> 	pubcom.dll
> 	raw.dll
> 	scan.dll
> 	system.dll
> 	uptime.dll
> 
> SOUNDS
> 
> 	{empty}



More information about the unisog mailing list