-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Not a expert on MIRC but this appears to be a DOS tool that uses
MIRC scripts to logon,listen and execute commands. There appear to
be DOS commands in mirc2.ini n112-n122. The temp2.exe is a
hidewindow program (probably to hide the mirc window). Temp.scr is
actually a text file filed with handles(example below). From some
parts of the scripts is appears to be Win9X/ME specific (references
to c:\windows). However check the registery "run" keys for a startup
to a self extractor; it drops files into c:\windows\inf\g\ and
c:\windows\web32\. Somebody with more experience in MIRC can tell
more that I can.
- ----part of temp.scr----
RaZeR
singh
spice
staryeyes
djcoby
ANETA
rhdskleklsakj
Taylor1
- -----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS_at_SECURITYFOCUS.COM]On
Behalf Of Dave Woods
Sent: Tuesday, October 31, 2000 14:29
To: INCIDENTS_at_SECURITYFOCUS.COM
Subject: New Trojan????
One of our computers here recently became infected with something I
have
never seen before.
When the computer starts up (winME) it opens up 2 copies of the
FreeExtractor prog that exctracts the following files:
mirc.ini
mirc2.ini
mirc3.ini
pri.ini
20139.txt
gates.txt
temp.exe
temp2.exe
whvlxd.dat
temp.scr
gates.txt contains a lot of ip's / domains in it that look to be
possibly
infected hosts that this "program" is creating as some of them are
isp
accounts ie port200.hs.ip.com
temp.scr does not run (says not a valid win32 app)
I have attached the files in a zip with a password of pass101
If anyone has seen or knows what this is or how to remove it let me
know.
Sincerely,
David Woods
Techweavers Inc.
dave_at_techweavers.net
www.techweavers.net
Phone: (780)-423-3952
Fax: (780)-432-3220
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBOf9pfG+7g8loOAk5EQLY+gCgxGF8QyEvcDWbQnwxs7RyKXrXAEMAoODd
ky1q2esBjT6dx572xvEX9wsb
=SuCp
-----END PGP SIGNATURE-----
Received on Nov 02 2000
Intro
