To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
I'm
sorry AGAIN, I posted using the wrong
return address. This should be right.
I really do not intend to spam this list.
From: Samuel J. Cole [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 07, 2006 11:18 PM
To:
'[email protected]'
Subject: FW: Had some botnet files on
one server of mine
Sorry...I should have mentioned that this always tries to connect
on ports 6668, 7000, or 7002.
Not sure about this but I
thought I would try.
I have been blocking IRC
"join" requests for quite a few weeks when I discovered the attempt to
communicate. The scans I was running would not find this. Finally I
found that there were a number of files under c:\%systemroot%\dllcach (note the
missing "e"). The troublemaker files were in a hidden file disguised as a
"registry entry" looking directory, and when I moved them to a non-hidden
directory all of a sudden they became "available" to a virus scan and were
detected.
The scanner classified the
files as part of a "mybot" infection. Specifically, there was a batch file
that installed a second "explorer.exe" file and put it in
c:\%systemroot%\system32, (whereas the "normal" explorer.exe is in
c:\%systemroot%). The bogus "explorer.exe" would run every time the system
was rebooted, and attempt to connect to a server at IP address 194.106.206.66, apparently a game server in
Germany.
I have not attempted to
contact anyone on that ISP to have it looked into yet. I am quite a bit
less capable technically than most if not all that post on this list, but its
creation was very timely.
Hope that's not too much
information.
_______________________________________________
botnets mailing list
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
