[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] wms.exe on win2k?

To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] wms.exe on win2k?
From: Stephen Blass <Stephen.Blass@xxxxxxx>
Date: Thu, 25 Sep 2003 14:53:44 -0700

Pardon me if this is old news and well known, but we are finding a WMS.exe on 
Win2k machines in both the WINNT and WINNT\system32 directories along with a 
WINNT\system32\nt directory full of installation and launching scripts plus IRC 
communication scripts.  

Mcaffee and Norton have yet to identify it during a scan, but the WMS.exe 
program we have found is a port scanner that first tries to connect to 
fuel.pyroshells.com, dnsix.com, and (this is silly) 192.168.0.1 and beyond that 
I've not had time to analyze the little bugger yet other than to read the 
scripts.

it uses a svcinst.exe to process a rtl386.sys containing instructions to 
connect to
irc.elite-irc.net  6667
crystal.elite-irc.net 7000
darwin.elite-irc.net 6667
killer.elite-irc.net 6667

the user name is IsoZone and the credit line reads iSoZoNE WAS H3R3

It installs files named 1MB.Test and 5MB.Test in %sysdir%\pk32 and sets up an 
admin password entry that looks like an MD5 hash.  We appear to be toast.

So my question is whether someone out there knows what this is?




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Next by Date: Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Previous by thread: [Full-Disclosure] UnixWare 7.1.3 UnixWare 7.1.1 Open UNIX 8.0.0 : Network device drivers reuse old frame buffer data to pad packets
Next by thread: Re: [Full-Disclosure] wms.exe on win2k?
Index(es):
- Date
- Thread