[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] What is this

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] What is this
From: Jeremy <intrusiondetection@xxxxxxxxx>
Date: Mon, 8 Aug 2005 16:02:22 -0400

On 8/8/05, Armando Rogerio Brandão Guimaraes Junior
<arjunior@xxxxxxxxxxxx> wrote:
> Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php
> AntiVirus and SpyBot doesn´t detect!!!
> 
> Armando Guimarães Jr

Installs a bot. Looks up lists2.dc21business.com, connects to an IRC
server on port 12000. Joins a few rooms. Gets a message/command to
download http://home.comcast.net/~soliveria/n3.exe . Does so, then
gets a message to download  http://home.comcast.net/~ebaker1973/up.exe
. Reports to http://dos2.deadlist.net/ . Joins another IRC server at
204.8.34.78 port 12000. Gets told to download
http://hec-ulg-entrepreneurs.com/3.exe , then
http://hec-ulg-entrepreneurs.com/1.exe . Starts a netbios scan of
local network. Joins several different irc chats. It just keeps going
and going and going.... Lots of spyware, lots of malware, chaos.

Still watching,
~J
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] What is this
  - From: Armando Rogerio Brandão Guimaraes Junior

Prev by Date: RE: [Full-disclosure] Port scanner for Windows CE
Next by Date: RE: [Full-disclosure] What is this
Previous by thread: RE: [Full-disclosure] What is this
Next by thread: RE: [Full-disclosure] What is this
Index(es):
- Date
- Thread