actually, -i think-, that the operator made it invite only in order to make
the trojan disfunctional... i believe same solution was used for #kaiten and
#knight

oliver p.

> -----Original Message-----
> From: OblivionOaol.com [mailto:OblivionOaol.com]
> Sent: Friday, August 03, 2001 2:38 PM
> To: vuln-devsecurityfocus.com
> Subject: Re: Suspicious JOe.exe
>
>
> I ran a hex editor on a copy of Joe.exe that was sent to me
> and although i
> found most of the same information as the strings command, i
> was unable to
> find the request of invite. Upon entering the iRC network
> that joe.exe is
> connecting to i tried to enter channel "#penr0x". It is
> invite only, whcih
> leads me to believe that when the zombie connects to irc it
> sends a request
> to a bot or botnetwork with a specific phrase, ordering the
> botnet to invite
> it to #penr0x.... My question is where would this phrase/nick
> be located in
> the file? i cant seem to find it although it seems to me that
> it should be in
> plain text...
>
> ~ Chris
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]