ThreadBoard ArchivesSite FeaturesActiveworlds SupportHistoric Archives |
Virus Warning (General Discussion)
Virus Warning // General DiscussionryanJul 2, 2003, 6:49pm
DO NOT download:
www.runescapeaddicts.com/alexbot.exe This is a virus being spread by M A T T. I would not download ANYTHING from that domain, either. Ryan strike rapierJul 2, 2003, 7:04pm
Smells like keylogger? Hooks and handles etc.
- Mark LÍ!This program cannot be run in DOS mode. $ Ghirai fearless Ghirai VÈèz, i-Wÿ&X(J~4fs?GÜf{rY` ,MÓ4MA\q #ä$0GFFF |H 'ÿÿ¿ Long FKS_SERV e Sub D c¬ at LVB5! #*É'lB~3 Microsoft tO=X' /4H/JsAN fY|ØÿrmMain mod Reg o o1 +3qµC:\Pgram F Visuals tudio\ 98 pctHook SCurren9[hítDi IEerèOp '?·OA GH&<È\rDX s[ C|n"JK% 2ÈHP loseHan The at í÷ÆFV|uKey#,'[- <'`hLs rvfoC"l5CrÉt U·g&6 32Þ-Wiíowft ?(adLib cAddÆss·ÕÅ!ÀläHãL '= _Ä(o at ^r¤ì(Voq,Øe§C$) usRMZ X÷ô ¨Tex9¼3ÌWÉ% 2 GLÏgthM r 3O *CÌÔzä%,*ðY[(Ð\- uUY (s¦is,048<D.O iHP SUs/êºîm]m act advapi KAÆFbEAG|H.9,4OcïÄd dE Ce¿Ömn²eCI5 GSt[#c#|M \Au!/n RnYccc _vbaLCMc [$sðObjLE -Ov?fR odeCkÛ0÷I4 B^s3}¼/New»ÃPB?,E21dµ# dw³7G /+Dup tËqÛZ&;±ó«HC3\ªÐul¤ëck'k e d_S\?C{dÂ&dCR R&dB&SSF!$dBFqB&ä²;GUdB&lU MM&dB&VVIB&dBI0dB&d011&dB&223B&dB34dB&d4DD ,iuc;ÑOw %©3+o?2Vec> i / St4ë%KT[!S; 8Ñ5 O=TUAK F6k-Wwc B«JwY7QØ¢- ;T³IÍR3{ E mq#«szf"˳ I$ iZ3 %XQ3H3 \ at `i® ; \`Û\P>LUMQC2!;Ç<LG UÄRiØ.ý'=Q\Õ#j\h dDTtYsf; q?IW«0!A:ÉX",] $"Lðèà'C22àPP`Lr ' at ØÐ7É$" rrYM ? p2!' E_I6/HDQ Vrrr 0 at 2t(M^X $hI a^h,½4!-9:? %W.1 at s#""a®,j9 8nfüC#%?E¸Pa ($=TºøYÀ_HìKMp0?9, IóÈQ"<n&²X²"MQh¨#4Jj. JR]cR+ /?Y\´H0EÈ/B E×µEj>Ê6ÀÍM¸!_8Q¥TèeY00 d id l( < N"DX>!xA dä«h~|| jhh dÃPTTfBF tAÌx >[`Zxt HF?CM ?5LÿLLg+ÄrMM¬E?{ |ý|#K PA8B®P<+ \&~3|l,l < ,V CÆ{~µ3 at aCah at ³` 8886OnC9 0 at H*NÜ;³%WXQ 2 at è4d¸p:f¶ah p0J"^4 B á3] yXt ,8-OL2$$"² at L*0 b8~T2'L d Phd}%} %&zlII t(\¢ÆL:Q»(5?li /èº<-h[{,"' h(F7Rr S X,jaQ P<UG|7 w Egj ?<_XXò, <ÈÈaÁ®Á at 89T0"¾X\a A 9ç`~i8e"nCvH 9T0#HLPg ATjA V'Q aùP:¡,PM,A Y r\`dz»BÂ..+U¼(C 2ÈHLPT-°B8 at - AºGX\` G 9dv8' Q 5haC?&9"L )µ}ÞÉH$Ï.RÇt¼2f"ÄtLÀ*2Ò%fÔ+T R'FR{, LThis p cannot be run i DOS »e. $C»/ <$ at VufO, eÿ"B`.rdataûe' -á?e¢ at .shared3¶oS D&able.M KERNEL PostMesLg 0,0:0p0w0¥0³0Ë0" _CIcos 7adj_fptan pdiv_m64¿0 aTñn)m15 hwEVENT_SINK_" iR/d d!? CAÛQu.ypfac 1dDup at gg CUSTOM CUSTOM KERNEL32.DLL MSVBVM60.DLL LoadLibraryA GetProcAddress ExitProcess <C>sMx<,AØlÖkº]Æc,AµZïx'HW,? at ~L´ZOFNg4~?ÜnÕj' I¥RÏhÊe¯XHH¥RïxÄbZG¶[ÖkÔj|>ÄbHV·\Fk6,A¥R±XOFÃbW,x<ßpÕja0s:¹\YPSEV_0q8 VZGU*? at ~LVOFNh4~?ÜnÕj>NVÌfÕj·\ÎgR)n7ïxÖkTL? at ~L¨TOFNs:~?êuÓj'H©TÊeÖkÂa" JS*|>ªU°Xc2? at ¾_YP¯XØlZG¡PápÇd?C? at ~L¶[OFNn7~?«VsMT*'H§TN¤RYP "J¥RètÍf>N©TÈdÂaÅb×lSE£RïxÇd'Iu:-LÕjÆcÕj].o8ÑhoNa0F§T¢Q¥R·\SE£RïxÇd' Iu:¥RH-LYP].p8¹\Ha0s:¸\YPSE'I_0q8·\FV+,A¥R"JOF'I].o8VoNa0w<§T' ISEHT*~?·\'Ic2u:¥RH,AYP]."B¹\FoN»^àpN}>¥R_0</C> agent1Jul 2, 2003, 7:37pm
[View Quote]
> Smells like keylogger? Hooks and handles etc.
You don't need to post large amounts of the file here... Norton Antivirus told me it was a Trojan Horse, but not which one. -- -Agent1 strike rapierJul 2, 2003, 7:43pm
mrbruceJul 2, 2003, 8:37pm
Yes this was logged at A!!CTs GZ by a tourist "Alcoholic":
www.runescapeaddicts.com/alexbot.exe -THIS BOT GENERATES TERRAIN. HAS ARTIFICIAL INTELLIGENCE AND MUCH MUCH MORE! Check it out today and learn how you can win $50.00 just for trying it out! [View Quote] strike rapierJul 2, 2003, 8:41pm
Collate any IP records in any worlds and ensure theyre saved for later
use... The file appears to hook the keyboard, the file is way too small to be a bot which most people should have picked up on though.... Id personally reccomend never giving passwords / PPWs to anyone who isnt defended by an up to date firewall and anti virus software (pref with Bloodhound). - Mark [View Quote] tengelJul 2, 2003, 9:17pm
Give his IP if you have. Mr Bruce, maybe it is same that have delete one of
the world I host and the time Tengel [View Quote] strike rapierJul 2, 2003, 9:38pm
Gawd I love step by step ASM....
The target file you are looking for is called ouleaut32.exe and is located in %SystemRoot%/system32/ The program IS self replicating and copies itself to the above directory when it is run, it also generates the following reg keys: HKEY_CURRENT_USER .DEFAULT Software Microsoft Windows CurrentVersion Run ouleaut32 path enabled Delete any keys from the registery refering to the file, it is everywhere... You must also kill the active thread (use task manager) and then nuke the EXE, and preferably use overwrite.... The key is also placed in the 'Run' subkey group for: HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Run ouleaut32 where ouleaut32 must be deleted.... It also exists in the UserInit key under the Windows NT keys.. but edit it manually and leave the first part of UserInit in there... just nuke the annoying bit (NOT user init.exe afaik) In short you do this.... Run -> Regedit Search for everything that includes 'ouleaut32', as soon as it highlights a key... kill it (press the delete key) then search for the next... press F3 for quick search.... and dont forget to delete them all AND the EXE... both in system32 and the 1 you downloaded... Finally... to finish uninstall find M a t t and give him a severe beeting... PS M a t t y boy... your plans are screwed. - Mark [View Quote] mrbruceJul 2, 2003, 10:10pm
I will have starfleet post it, i was outside A!!CT at the time handling a
dispute and was unable to get back in time to right click the tourist to get his IP. MrBruce [View Quote] mrbruceJul 2, 2003, 10:32pm
OK got it Telegram from Starfleet, sent 21 minutes ago:
203.14.169.18 its most likely just a proxy anyways [View Quote] themaskJul 3, 2003, 12:25am
If it was a SDBot or something, i'd love to camp in his IRC Channel and
watch him come in logging in and put in all these other things.. that's allways funny to do if you have a SDBot on your system.. just hallarious to fool with the owners :) builderzJul 3, 2003, 1:02am
I tried to do a WHOIS on that domain name, but it looks like the WHOIS
server for it is down at the moment (or fake). However, the IP address of www.runescapeaddicts.com belongs to Everyones Internet, so it is probably on a server in the RackShack/EV1 datacenter. M A T T could have his own server (I doubt it) or have an account with another host there. Builderz http://www.3dhost.net [View Quote] shredJul 3, 2003, 1:51am
May just be me, but it looks like alexbot.exe has been removed from the public root directory.
[View Quote] alaskanshadowJul 3, 2003, 4:27pm
This is also from matt, and NOT wise to click:
"PO": awmafia.netfirms.com/awhack34.exe THE NEWEST AWHACK. ALLOWS YOU TO ENCROACH OVER OTHER'S PROPERTY!!! [View Quote] alaskanshadowJul 3, 2003, 7:12pm
last time when he spread the virus, his ploy was a bot that had "artificial
intelligence" lmao. [View Quote] strike rapierJul 3, 2003, 7:14pm
We all know only Echelon attack system has AI.. and its version is
comparativly poor.. - Mark [View Quote] ryanJul 3, 2003, 7:15pm
Think before you click...never click or download things from untrusted
sources ...especially tourists at an AWI world GZ...lol Ryan [View Quote] alaskanshadowJul 3, 2003, 7:25pm
strike rapierJul 3, 2003, 7:26pm
Well so did I... but I ran it step by step in dissasembly in visual
studio... on a secured test machine. - Mark [View Quote] basixJul 19, 2003, 4:53am
|