|
Vulnerability Development
mailing list archives
RE: Suspicious JOe.exe
From: "Petruzel, Oliver" <OliverP () aegisresearch com>
Date: Fri, 3 Aug 2001 15:18:11 -0400
actually, -i think-, that the operator made it invite only in order to make
the trojan disfunctional... i believe same solution was used for #kaiten and
#knight
oliver p.
-----Original Message-----
From: OblivionO () aol com [mailto:OblivionO () aol com]
Sent: Friday, August 03, 2001 2:38 PM
To: vuln-dev () securityfocus com
Subject: Re: Suspicious JOe.exe
I ran a hex editor on a copy of Joe.exe that was sent to me
and although i
found most of the same information as the strings command, i
was unable to
find the request of invite. Upon entering the iRC network
that joe.exe is
connecting to i tried to enter channel "#penr0x". It is
invite only, whcih
leads me to believe that when the zombie connects to irc it
sends a request
to a bot or botnetwork with a specific phrase, ordering the
botnet to invite
it to #penr0x.... My question is where would this phrase/nick
be located in
the file? i cant seem to find it although it seems to me that
it should be in
plain text...
~ Chris
 By Date 
By Thread
Current thread:
- RE: Suspicious joe.exe, (continued)
|
Intro
