I though I'd pass this along since we couldn't find anything in Google about it.
We found a program, regwin.exe, running in the background on a PC in our helpdesk today. It was connected to an irc server in .br. :-) I sniffed its traffic but didn't see anything interesting, just the typical irc PING/PONG messages and the login when we restarted the machine:
6828.467391 xx.xx.xx.xx -> 200.246.16.20 IRC Request
0000 00 a0 8e 78 73 c3 00 d0 ba b4 35 4b 08 00 45 00 ...xs.....5K..E. 0010 00 82 19 20 40 00 7f 06 fb 6c xx xx xx xx c8 f6 ... @....l...... 0020 10 14 04 49 1a 0b 38 f5 7c 86 b1 e8 01 b9 50 18 ...I..8.|.....P. 0030 22 17 c6 d3 00 00 4e 49 43 4b 20 50 65 6e 53 61 ".....NICK PenSa 0040 64 6f 52 5f 2d 32 31 0a 55 53 45 52 20 4d 61 58 doR_-21.USER MaX 0050 69 4d 75 53 5b 58 5d 40 69 67 2e 63 6f 6d 2e 62 [EMAIL PROTECTED] 0060 72 20 22 22 20 22 22 20 3a 5f 5f 73 50 6f 30 6b r "" "" :__sPo0k 0070 5f 5f 2d 41 77 61 79 2d 31 38 0a 4d 4f 44 45 20 __-Away-18.MODE 0080 50 65 6e 53 61 64 6f 52 5f 2d 32 31 20 2b 70 0a PenSadoR_-21 +p.
It was setup in the registry to run when the system boots, and was cleverly labelled, "Microsoft Network Control".
Strings shows some intersting things. Looks like a list of nicknames:
CourierD List7 lesbians[2002] Cretina[saiu] Medica[0ut] SexPics[0ff] GayBrasil[away] SexBoy[ja-volto] SeXinhA[X] SEXA[--] RodriGato_24[PT]" Mari_aninha[i]Penelope_Xarmoza[SP] bebelzinha[RJ] ThIaGuInHu`[BR] OraK[MG]
I don't have a lot of time to analyze it further. If anyone would like to see it, drop me an email.
-Vic
smime.p7s
Description: S/MIME Cryptographic Signature
