To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
Resending, as it doesn't appear this message made it out the first time.
-- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome.
--- Begin Message ---This was discussed on another list about two weeks ago. There are at least two versions of secrets.exe out. Both are zipsfx (iow, can be unpacked with unzip). Archive: secrets.exe ;The comment below contains SFX script commands Path=C:\WINDOWS\system32\data Setup=C:\WINDOWS\system32\data\start.exe Silent=1 Overwrite=2 Filelist for the bot: Length Date Time Name -------- ---- ---- ---- 12 11-10-06 18:01 date.txt 27780 11-05-06 16:19 ie.exe 13104 11-05-06 20:26 irc.exe 5612 11-11-06 00:27 listener.exe 8704 11-11-06 00:09 main.exe 9392 11-10-06 18:09 mozilla.exe 124688 03-09-04 15:45 mswinsck.ocx 0 11-05-06 20:22 names.txt 0 11-05-06 22:25 new.txt 0 11-05-06 22:25 old.txt 9543 11-05-06 20:12 servers.txt 4816 11-10-06 22:55 start.exe 326 11-10-06 18:42 start.reg 18 11-10-06 18:10 address.txt 7352 11-05-06 20:32 aim.exe 13384 11-11-06 02:11 av.exe -------- ------- 224731 16 files The difference between the two secrets packages are: diff -ur secrets/date.txt update1/secrets/date.txt --- secrets/date.txt 2006-11-10 18:01:28.000000000 -0500 +++ update1/secrets/date.txt 2006-11-11 21:02:06.000000000 -0500 @@ -1 +1 @@ - 27108088 +0 \ No newline at end of file Binary files secrets/main.exe and update1/secrets/main.exe differ All of the executables are packed, so it's somewhat difficult to get an idea of what they are. Someone posted a partial dump of strings from a memory image of irc.exe, though: ***** UNICODE SECTION ***** 000023EC: 2c49f800-c2dd-11cf-9ad6-0080c7e7b78d 00002494: ircSpreader\Final Stripped Version\ 00002DA8: JOIN 00002FD4: Timer 00002FE0: Event 000033DC: PRIVMSG 000033FA: DCC SEND 00003444: LIST 0000346C: tem32\ 0000354E: windows\system32\data\secrets. 000035C6: windows\system32\data\servers. 00003618: PART 00003630: , 133:USERID:WIN32: 0000365C: NICK 0000366C: USER BiTCH 1 1 :BiTCH PLeaSe 000036AC: PING 000036BC: PONG 000036CC: 321 000036DC: 323 000036EC: 322 00003708: 353 00003734: 366 00003744: PRIVMSG 00003762: DCC RESUME 00003788: RESUME 000037A0: ACCEPT 0000419E: jjUj 0000E07C: ircSpreader\Final Stripped Version\ Update site for this bot is http://www.oinkoinkme.com /files/update1.exe This url appears to still be active as of this writing. md5sums: 791e69bf4b0492b98a2ba1a859e7d549 update1.exe 9787d16652592c0683fc1803ab36624b secrets.exe 3bae90a04668c231fdc5584d3ddb3e89 update1/secrets.exe Sunbelt Software has a sandbox report of the original secrets.exe at http://research.sunbelt-software.com/ViewMalware.aspx?id=6160 Hope that helps. On Sun, Nov 26, 2006 at 11:11:02PM +0100, Geir ?ge Mortensen babbled thus: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > Hi, > > We got hit by something in a channel. > > Can someone tell me what it was? > Time of incident 22:42 26/11/2006 [CET] > > [22:42] * fuuoiu ([EMAIL PROTECTED]) has joined #chains > [22:42] * fuuoiu ([EMAIL PROTECTED]) has left #chains > > [22:43] DCC Send from fuuoiu rejected (secrets.exe, file type ignored) > - > fuuoiu is [EMAIL PROTECTED] * BiTCH PLeaSe > fuuoiu on #business +#PuiuXXX #People=Shit #mp3zone #agadir-quebec > #Aurora_Aureae #skootterit #U.P.C. #paint_it_black > fuuoiu using *.undernet.org The Undernet Underworld > fuuoiu End of /WHOIS list. > - > > > How can i setup a trap to chatch anything like this? > > > Geir Mortensen -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome.
--- End Message ---
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets