Home page logo

bugtraq logo Bugtraq mailing list archives

backdoor trojan in ICKill
From: bachrach () netreach net (Bachrach)
Date: Sun, 7 Jun 1998 19:44:28 -0400

    First off, I'm not 100% sure if this is the apropriate forum for this
since it's not really a weakness, but rather a programmer who is putting
into some programs. Then again technically that's an exploits... Oh I
don't know. If this is the wrong place then I apologize profusely for the
waste of bandwidth and plead ignorance, but here goes:
    Well, chances are none of you guys have ever used this program, or even
heard of it, but there are alot (35,000) of people who have. I originally
downloaded it becasue I've been researching a lot of the weaknesses in the
ICQ protocol, (which has become easier as time has gone on. :)) Anyway,
you run it, (ICKill), it creates a file in the directory called 1.exe that
acts as a
fake explorer. 1.exe accesses your regedit database, and copies itself to
windows/system. It changes the regedit so that the fake one will run on
startup. It acts mostly the same as the normal explorer with one very
crucial execption. It contacts a host (I still can't figure out which one),
and executes the commands that are embedded within a text file on the
computer. Anyone see it yet? Backdoor city. I contacted the author (who left
his e-mail address in the readme), and he's the one who explained th
backdoor thing. He also told me a few other things that made me write up to
this group.
    He said that he had gotten almost 35,000 different people's systems
calling up his computer at one point; essentuially he has backdoors to
35,000 systems accross the globe. When I asked him why he would go through
all the trouble to do this he gave me two reasons:
1. IF (and he emphasized the if) he was a hacker he could use a couple of
other people's computers as hops when hacking into a system. Kind of nasty
for the sysadmin trying to trace a breaking huh?
2. To quote him "And the backdoors can auto-uptade themselves.. so Imagine I
can code a virus like backdoor... Whoaaa! This will be like THAT internet
3. He also said "Imagine also.. 35,000 backdoored (yeah, I reached this
connections pinging or SYN flooding some server.."

Well if anyone out there is using or has ever used ICKill then get rid of
it. I have actually set up a page on this to both inform people and explain
how to get rid of all traces of the program that I currently am able to at
http://members.tripod.com/~hakz/ICQ/index.html That site also has all of the
letters I wrote to him and he wrote to me if you want to see the entire
things. It's also got some other info I couldn't fit into this message,
including all of the mistakes the author made (guess he needed better beta
testing). My
last question is this: if one person has backdoors into thousands of
computer systems, doesn't that pose some sort of risk to the interent
community as a whole? There's one person who's been saying that I should
notify the FBI about this. As you can see  decided to start here first.

  By Date           By Thread  

Current thread:
  • backdoor trojan in ICKill Bachrach (Jun 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]