|
Vulnerability Development
mailing list archives
Re: Suspicious JOe.exe
From: Tony Lambiris <methodic () libpcap net>
Date: Fri, 3 Aug 2001 15:35:34 -0400
I've youve got a spare machine kicking around, install NT on it, then
tcpdump the LAN traffic and you should be able to snake the key that
way.. it should work through VMware as well..
On 08.03.01, OblivionO () aol com wrote:
I ran a hex editor on a copy of Joe.exe that was sent to me and although i
found most of the same information as the strings command, i was unable to
find the request of invite. Upon entering the iRC network that joe.exe is
connecting to i tried to enter channel "#penr0x". It is invite only, whcih
leads me to believe that when the zombie connects to irc it sends a request
to a bot or botnetwork with a specific phrase, ordering the botnet to invite
it to #penr0x.... My question is where would this phrase/nick be located in
the file? i cant seem to find it although it seems to me that it should be in
plain text...
~ Chris
 By Date 
By Thread
Current thread:
Re: Suspicious JOe.exe OblivionO (Aug 03)
RE: Suspicious JOe.exe Petruzel, Oliver (Aug 03)
Re: Suspicious joe.exe sea urchin attacks (Aug 05)
Re: Suspicious JOE.EXE Roy Wilson (Aug 05)
|
Intro
