|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: New Trojan????
From: Erick B. (erickbe
YAHOO.COM)Date: Tue Oct 31 2000 - 17:44:25 CST
- Next message: Crooks, James: "Re: Comments on Draft Convention on Cyber-crime - Article 3"
- Previous message: Nexus: "Re: New Trojan????"
- Next in thread: Mike Oxbig: "Re: New Trojan????"
- Maybe reply: Erick B.: "Re: New Trojan????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
temp.scr appears to be a ASCII file of IRC nicknames
that MIRC (irc program) uses for data in query's.
temp2.exe is a window hiding program. mirc.ini calls
it with command line options that prevent it from
displaying anything (possibly when it is messaging the
people in the temp2.scr file).
I didn't look through all the Mirc.INI files to see
exactly whats going on here however.
HTH, Erick
--- Dave Woods <daveTECHWEAVERS.NET> wrote:
> One of our computers here recently became infected
> with something I have
> never seen before.
>
> When the computer starts up (winME) it opens up 2
> copies of the
> FreeExtractor prog that exctracts the following
> files:
> mirc.ini
> mirc2.ini
> mirc3.ini
> pri.ini
> 20139.txt
> gates.txt
> temp.exe
> temp2.exe
> whvlxd.dat
> temp.scr
>
> gates.txt contains a lot of ip's / domains in it
> that look to be possibly
> infected hosts that this "program" is creating as
> some of them are isp
> accounts ie port200.hs.ip.com
> temp.scr does not run (says not a valid win32 app)
__________________________________________________
Do You Yahoo!?
From homework help to love advice, Yahoo! Experts has your answer.
http://experts.yahoo.com/
- Next message: Crooks, James: "Re: Comments on Draft Convention on Cyber-crime - Article 3"
- Previous message: Nexus: "Re: New Trojan????"
- Next in thread: Mike Oxbig: "Re: New Trojan????"
- Maybe reply: Erick B.: "Re: New Trojan????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]