Virus Warning (General Discussion)

Virus Warning // General Discussion

1  |  

ryan

Jul 2, 2003, 6:49pm
DO NOT download:

www.runescapeaddicts.com/alexbot.exe

This is a virus being spread by M A T T. I would not download ANYTHING
from that domain, either.

Ryan

strike rapier

Jul 2, 2003, 7:04pm
Smells like keylogger? Hooks and handles etc.

- Mark


LÍ!This program cannot be run in DOS mode.


$
Ghirai
fearless
Ghirai
VÈèz,
i-Wÿ&X(J~4fs?GÜf{rY`
,MÓ4MA\q
#ä$0GFFF |H
'ÿÿ¿ Long
FKS_SERV
e Sub D
c¬ at LVB5!
#*É'lB~3

Microsoft
tO=X'
/4H/JsAN
fY|ØÿrmMain
mod
Reg
o
o1
+3qµC:\Pgram F
Visuals
tudio\
98
pctHook
SCurren9[hítDi
IEerèOp '?·OA
GH&<Ȑ\rDX
s[
C|n"JK%
2ȐHP
loseHan
The
at í÷ÆFV|uKey#,'[-
<'`hLs
rvfoC"l5CrÉt
U·g&6 32Þ-Wiíowft
?(adLib
cAddÆss·ÕÅ!ÀläHãL '=
_Ä(o
at ^r¤ì(Voq,Øe§C$)
usRMZ
X÷ô ¨Tex9¼3ÌWÉ%
2
GLÏgthM
r
3O
*CÌÔz­ä%,*ðY[(Ð\-
uUY
(s¦is,048<D.O
iHP
SUs/êºîm]m
act
advapi
KAÆFbEAG|H.9,4OcïÄd
dE Ce¿Ömn²eCI5
GSt[#c#|M
\Au!/n
RnYccc
_vbaLCMc
[$sðObjLE
-Ov?fR
odeCkÛ0÷I4
B^s3}¼/New»ÃPB?,E21dµ#
dw³7G
/+Dup
tËqÛZ&;±ó«HC3\ªÐul¤ëck'k
e
d_S\?C{dÂ&dCR
R&dB&SSF!$dBFqB&ä²;GUdB&lU
MM&dB&VVIB&dBI0dB&d011&dB&223B&dB34dB&d4DD
,iuc;ÑOw
%©3+o?2Vec>
i /
St4ë%KT[!S;
8Ñ5
O=TUAK
F6k-Wwc
B«JwY7QØ¢- ;T³IÍR3{
E mq#«szf"˳ I$
iZ3
%XQ3H3 \ at `i® ;
\`Û\P>LUMQC2!;Ç<LG
UÄRiØ.ý'=Q\Õ#j\h
dDTtYsf;
q?IW«0!A:ÉX",]
$"Lðèà'C22àPP`Lr ' at ØÐ7É$"
rrYM ?
p2!'
E_I6/HDQ
Vrrr 0 at
2t(M^X
$hI
a^h,½­4!-9:?
%W.1 at s#""a®,j9
8nfüC#%?E¸Pa
($=TºøYÀ_HìKMp0?9,
IóÈQ"<n&²X²"MQh¨#4Jj.
JR]cR+
/?Y\´H0EÈ/B
E×µEj>Ê6ÀÍM¸!_8Q¥TèeY00
d
id
l(
<
N"DX>!xA

dä«h~|| jhh
dÃPTTfBF
tAÌx
>[`Zxt
HF?CM
?5LÿLLg+ÄrMM¬E?{
|ý|#K
PA8B®P<+
\&~3|l,l
<
,V
CÆ{~µ3 at aCah at ³`
8886OnC9
0 at H*NÜ;³%WXQ
2 at è4d¸p:f¶ah p0J"^4
B
á3] yXt
,8-OL2$$"² at L*0
b8~T2'L
d
Phd}%}
%&zlII
t(\¢ÆL:Q»(5?li
/èº<-h[{,"'
h(F7Rr
S
X,jaQ
P<UG|7
w Egj ?<_XXò,
<ÈÈaÁ®Á at 89T0"¾X\a
A
9ç`~i8e"nCvH
9T0#HLPg
ATjA

V'Q
aùP:¡,PM,A
Y
r\`dz»BÂ..+U¼(C
2ÈHLPT-°B8 at -
AºGX\` G
9dv8'
Q 5haC?&9"L
)µ}ÞÉH$Ï.RÇt¼2f"ÄtLÀ*2Ò%fÔ+T
R'FR{,
LThis p
cannot be run i
DOS »e.


$C»/
<$ at VufO,
eÿ"B`.rdataûe'
-á?e¢ at .shared3¶oS

D&able.M
KERNEL
PostMesLg
0,0:0p0w0¥0³0Ë0"
_CIcos
7adj_fptan
pdiv_m64¿0
aTñn)m15
hwEVENT_SINK_"
iR/d
d!?
CAÛQu.ypfac
1dDup
at gg
CUSTOM
CUSTOM
KERNEL32.DLL
MSVBVM60.DLL
LoadLibraryA
GetProcAddress
ExitProcess
<C>sMx<,AØlÖkº]Æc,AµZïx'HW,? at ~L´ZOFNg4~?ÜnÕj'
I¥RÏhÊe¯XHH¥RïxÄbZG¶[ÖkÔj|>ÄbH­V·\Fk6,A¥R±XOFÃbW,x<ßpÕja0s:¹\YPSE­V_0q8
VZGU*? at ~L­VOFNh4~?ÜnÕj>N­VÌfÕj·\ÎgR)n7ïxÖkTL? at ~L¨TOFNs:~?êuÓj'H©TÊeÖkÂa"
JS*|>ªU°Xc2? at ¾_YP¯XØlZG¡PápÇd?C? at ~L¶[OFNn7~?«VsMT*'H§TN¤RYP
"J¥RètÍf>N©TÈdÂaÅb×lSE£RïxÇd'Iu:-LÕjÆcÕj].o8ÑhoNa0F§T¢Q¥R·\SE£RïxÇd'
Iu:¥RH-LYP].p8¹\Ha0s:¸\YPSE'I_0q8·\FV+,A¥R"JOF'I].o8­VoNa0w<§T'
ISEHT*~?·\'Ic2u:¥RH,AYP]."B¹\FoN»^àpN}>¥R_0</C>

agent1

Jul 2, 2003, 7:37pm
[View Quote] > Smells like keylogger? Hooks and handles etc.

You don't need to post large amounts of the file here...

Norton Antivirus told me it was a Trojan Horse, but not which one.

--
-Agent1

strike rapier

Jul 2, 2003, 7:43pm
Was only 3kb =P just recovered text (MS Word - An intelligent file sniffer?)

- Mark

[View Quote]

mrbruce

Jul 2, 2003, 8:37pm
Yes this was logged at A!!CTs GZ by a tourist "Alcoholic":
www.runescapeaddicts.com/alexbot.exe -THIS BOT GENERATES TERRAIN. HAS
ARTIFICIAL INTELLIGENCE AND MUCH MUCH MORE! Check it out today and learn how
you can win $50.00 just for trying it out!

[View Quote]

strike rapier

Jul 2, 2003, 8:41pm
Collate any IP records in any worlds and ensure theyre saved for later
use...

The file appears to hook the keyboard, the file is way too small to be a bot
which most people should have picked up on though....

Id personally reccomend never giving passwords / PPWs to anyone who isnt
defended by an up to date firewall and anti virus software (pref with
Bloodhound).

- Mark

[View Quote]

tengel

Jul 2, 2003, 9:17pm
Give his IP if you have. Mr Bruce, maybe it is same that have delete one of
the world I host

and the time

Tengel

[View Quote]

strike rapier

Jul 2, 2003, 9:38pm
Gawd I love step by step ASM....

The target file you are looking for is called ouleaut32.exe and is located
in

%SystemRoot%/system32/

The program IS self replicating and copies itself to the above directory
when it is run, it also generates the following reg keys:

HKEY_CURRENT_USER
.DEFAULT
Software
Microsoft
Windows
CurrentVersion
Run
ouleaut32
path
enabled

Delete any keys from the registery refering to the file, it is everywhere...
You must also kill the active thread (use task manager) and then nuke the
EXE, and preferably use overwrite....

The key is also placed in the 'Run' subkey group for:

HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run
ouleaut32

where ouleaut32 must be deleted....

It also exists in the UserInit key under the Windows NT keys.. but edit it
manually and leave the first part of UserInit in there... just nuke the
annoying bit (NOT user init.exe afaik)

In short you do this....

Run -> Regedit

Search for everything that includes 'ouleaut32', as soon as it highlights a
key... kill it (press the delete key) then search for the next... press F3
for quick search.... and dont forget to delete them all AND the EXE... both
in system32 and the 1 you downloaded...

Finally... to finish uninstall find M a t t and give him a severe beeting...
PS M a t t y boy... your plans are screwed.

- Mark

[View Quote]

mrbruce

Jul 2, 2003, 10:10pm
I will have starfleet post it, i was outside A!!CT at the time handling a
dispute and was unable to get back in time to right click the tourist to get
his IP.
MrBruce
[View Quote]

mrbruce

Jul 2, 2003, 10:32pm
OK got it Telegram from Starfleet, sent 21 minutes ago:
203.14.169.18
its most likely just a proxy anyways

[View Quote]

themask

Jul 3, 2003, 12:25am
If it was a SDBot or something, i'd love to camp in his IRC Channel and
watch him come in logging in and put in all these other things.. that's
allways funny to do if you have a SDBot on your system.. just hallarious to
fool with the owners :)

builderz

Jul 3, 2003, 1:02am
I tried to do a WHOIS on that domain name, but it looks like the WHOIS
server for it is down at the moment (or fake).

However, the IP address of www.runescapeaddicts.com belongs to Everyones
Internet, so it is probably on a server in the RackShack/EV1 datacenter.
M A T T could have his own server (I doubt it) or have an account with
another host there.

Builderz
http://www.3dhost.net

[View Quote]

shred

Jul 3, 2003, 1:51am
May just be me, but it looks like alexbot.exe has been removed from the public root directory.

[View Quote]

agent1

Jul 3, 2003, 12:17pm
[View Quote] Mail sent to abuse at rackshack.net.

--
-Agent1

alaskanshadow

Jul 3, 2003, 4:27pm
This is also from matt, and NOT wise to click:
"PO": awmafia.netfirms.com/awhack34.exe THE NEWEST AWHACK. ALLOWS YOU TO
ENCROACH OVER OTHER'S PROPERTY!!!



[View Quote]

john

Jul 3, 2003, 6:23pm
Thats not possible, lmao! Since its server checked

~John

[View Quote]

strike rapier

Jul 3, 2003, 6:27pm
We.... know... lol

- Mark

[View Quote]

alaskanshadow

Jul 3, 2003, 7:12pm
last time when he spread the virus, his ploy was a bot that had "artificial
intelligence" lmao.

[View Quote]

strike rapier

Jul 3, 2003, 7:14pm
We all know only Echelon attack system has AI.. and its version is
comparativly poor..

- Mark

[View Quote]

ryan

Jul 3, 2003, 7:15pm
Think before you click...never click or download things from untrusted
sources ...especially tourists at an AWI world GZ...lol

Ryan

[View Quote]

alaskanshadow

Jul 3, 2003, 7:25pm
Dude, I told you it was a virus, and you clicked it ANYWAYS, lool

[View Quote]

strike rapier

Jul 3, 2003, 7:26pm
Well so did I... but I ran it step by step in dissasembly in visual
studio... on a secured test machine.

- Mark

[View Quote]

alaskanshadow

Jul 3, 2003, 7:28pm
But ryan doesn't think like you do strike, hehe

[View Quote]

basix

Jul 19, 2003, 4:53am
Damn people making virii, trying to ruin my precious awhack. :-X


[View Quote]

1  |  
Awportals.com is a privately held community resource website dedicated to Active Worlds.
Copyright (c) Mark Randall 2006 - 2024. All Rights Reserved.
Awportals.com   ·   ProLibraries Live   ·   Twitter   ·   LinkedIn