|
Security Incidents
mailing list archives
Re: New Trojan????
From: "Erick B." <erickbe () yahoo com>
Date: Tue, 31 Oct 2000 15:44:25 -0800
temp.scr appears to be a ASCII file of IRC nicknames
that MIRC (irc program) uses for data in query's.
temp2.exe is a window hiding program. mirc.ini calls
it with command line options that prevent it from
displaying anything (possibly when it is messaging the
people in the temp2.scr file).
I didn't look through all the Mirc.INI files to see
exactly whats going on here however.
HTH, Erick
--- Dave Woods <dave () TECHWEAVERS NET> wrote:
One of our computers here recently became infected
with something I have
never seen before.
When the computer starts up (winME) it opens up 2
copies of the
FreeExtractor prog that exctracts the following
files:
mirc.ini
mirc2.ini
mirc3.ini
pri.ini
20139.txt
gates.txt
temp.exe
temp2.exe
whvlxd.dat
temp.scr
gates.txt contains a lot of ip's / domains in it
that look to be possibly
infected hosts that this "program" is creating as
some of them are isp
accounts ie port200.hs.ip.com
temp.scr does not run (says not a valid win32 app)
__________________________________________________
Do You Yahoo!?
From homework help to love advice, Yahoo! Experts has your answer.
http://experts.yahoo.com/
 By Date 
By Thread
Current thread:
- Re: New Trojan????, (continued)
| 
Intro
