[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] wms.exe on win2k?

S G Masood wrote:
--- JTBurn <jtburn@xxxxxxx> wrote:


I think it's a typicall form of an XDCC-BoT.
that means: they hacked your pc and installed
a script from which the persons from the channel
can get warez or moviez and so one from your
pc.


--
cu,
JTBurn


Hello,

I think you are right. In the irc servers mentioned in
the original post, there is a warez trading channel
called "#isozone" and as the original poster

Actually it's #iso-zone and I think their control channel was #okie as someone mentioned before. #okie looks like it was closed down (only 2 people left in it, looks like some were moved to #test0r) and #iso-zone looks like they are having a lack of warez sharing bots.

10:36 [ctcp([iZ]-iSo-ZonE0074)] VERSION
10:36 CTCP VERSION reply from [iZ]-iSo-ZonE0074: Xans XDCC Bot 0.51

Here is a quick scan of some infected machines (if these are the same bots).

10:32 *** * [iZ]-iSo-ZonE0043 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0004 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0001 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0011 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0062 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0086-OutOfOrder H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-LeechMe-v2 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0056 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0007 H 0 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0003 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0002 H 0

~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0025 H 1 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0064 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0010 H 3 isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** * [iZ]-iSo-ZonE-0100 H 3 isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0036 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0068 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0008 H 3 isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0030 H 1 isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #test0r [iZ]-iSo-ZonE0009 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0021 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"IsoZone"
10:32 *** * [iZ]-iSo-ZonE0031EU H 3 isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** * [iZ]-iSo-ZonE0032 H 3 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #iso-zone [iZ]-UtilServer H 0 isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #iso-zone [iZ]-iSo-ZonE0027 H 3 isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** #iso-zone [iZ]-iSo-ZonE0074 H 0 ~isozone@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx "IsoZone"
10:32 *** End of /WHO list


mentioned, "the user name is IsoZone and the credit
line reads iSoZoNE WAS H3R3". So, your PC is being
used to serve illegal warez to people. Even though it
is not your fault, it can get you in trouble with the
law.

--
S.G.Masood

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html