Pardon me if this is old news and well known, but we are finding a WMS.exe on Win2k machines in both the WINNT and WINNT\system32 directories along with a WINNT\system32\nt directory full of installation and launching scripts plus IRC communication scripts.
Mcaffee and Norton have yet to identify it during a scan, but the WMS.exe program we have found is a port scanner that first tries to connect to fuel.pyroshells.com, dnsix.com, and (this is silly) 192.168.0.1 and beyond that I've not had time to analyze the little bugger yet other than to read the scripts. it uses a svcinst.exe to process a rtl386.sys containing instructions to connect to irc.elite-irc.net 6667 crystal.elite-irc.net 7000 darwin.elite-irc.net 6667 killer.elite-irc.net 6667 the user name is IsoZone and the credit line reads iSoZoNE WAS H3R3 It installs files named 1MB.Test and 5MB.Test in %sysdir%\pk32 and sets up an admin password entry that looks like an MD5 hash. We appear to be toast. So my question is whether someone out there knows what this is? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
