Jump to content

Interesting Program


para
 Share

Recommended Posts

I infected my kids computer to help get some info...

The file is "WINIOGON.EXE" in the windows dir. There are policy changes and registry changes... anyone who needs a removal/fix script... perhaps, i will kill 30 minutes to write one for you...

Lar.

<{POST_SNAPBACK}>

it was his intention to infect these pcs because all the mails of that program would be sended to xparax@gmail.com and i think thats his email adress. isnt it brandon ?
Link to comment
Share on other sites

There are 3 ways this may not be para's fault:

1) para may have this virus and it attached itself to this file.

2) para's friend may have this virus and it attached itself to this file.

3) para's friend is a worthless moron who needs shot.

kloyenz, whether this was intentional or accidental, you need to tone it down a bit with the accusations. Frankly, the way I see it, its nobodies fault but your own that you got infected by this thing since you were the one who downloaded it and ran it without ensuring it was safe.

Link to comment
Share on other sites

A Google search on WinIogon.exe is sketchy but I surmised that it's a Trojan Backdoor.

That coupled with the fact that it only emails to one address tells me it's a Netbus style prank trogan that kiddie-scripters and hacker wannabe's try to get people to run so they can pop open their CD rom tray, move the mouse around, launch url's and show off basically.

If he got an email from your kids computer then he got an IP on you also. All he has to do is run the client and ping your IP on the correct port to connect with the already running server. What he can do from there who knows?

These will work right through a NAT, but ZA or any software firewall will usually prevent the server from getting outside.

-Scott

Link to comment
Share on other sites

  • Administrators

I've turned exe attachments off, the only reason I turned them on was so that I could get someone to quickly try a custom build of autoit3.exe to hunt a bug...

Obviously, people can still upload zip files (as they should be allowed to do) so exercise caution when downloading things from people you don't know.

Running an exe from someone with a post count of "1" is probably not a great idea :)

Link to comment
Share on other sites

I need a good reason not to BAN "para"... I'm listening...

LAr.

<{POST_SNAPBACK}>

I say PARA should explain (in about 1,000 words ) exacly what the script he figured was so important to the autoit comunity does.

explain buttons , explain icons ,explain input and output.

if he can convince members that this wonderful program is so perfect that it is worth uploading it without source since no one will ever need to change anything that it does then he should stay.

if not he should stay but be labeled an idiot and marked as such.

Link to comment
Share on other sites

I say PARA should explain (in about 1,000 words ) exacly what the...

<{POST_SNAPBACK}>

... ****

I figure it is possible that his buddy "Matt" played a rotton joke on Para by putting Para's email into the trojan and compiled/compressed it to a stand alone exe, knowing that Para would probably post it someplace and get into trouble.

On the other hand, I don't understand why Para posted this twice on this board, unless he already knew what it did and was 'fishing' to see how many people would run it.

In either case I agree.... Para's got some 'splainin to do.

Link to comment
Share on other sites

Just a question: Don't some viruses pull email address off a PC, from the Address Book, and then use them to send out email messages? Where I used to work people would get email messages from themselves sometimes, but I think it was a virus, or worm, just using the email address. This could explain what happened with Para.

Just my idea. Please let me know if that's not possible in this situtation.

Thanks for taking the time to read my post,

Ian

Edit: Of course, now that I look at the Subject again, * Interesting Program *, that's kind of suspecious. But, I could be wrong. Thanks again.

Edited by ioliver

"Blessed be the name of the Lord" - Job 1:21Check out Search IMF

Link to comment
Share on other sites

Just a question: Don't some viruses pull email address off a PC, from the Address Book, and then use them to send out email messages?  Where I used to work people would get email messages from themselves sometimes, but I think it was a virus, or worm, just using the email address.  This could explain what happened with Para.

<{POST_SNAPBACK}>

You are correct that most viruses that are in the wild (Klez, Mydoom, Netsky to name some of the popular ones) are designed to propigate themselves by finding addys on the infected PC and sending a copy of itself to each.

The exe that Para posted was proven by Kloyenz and I think also Larry to send an email to just one address....

Received: from 127.0.0.1 (AVG SMTP 7.0.269 [265.4.3]); Mon, 29 Nov 2004 19:59:10 +0100

From: CIA-Notify cool.gif <notify@cia.com>

To: xparax@gmail.com <xparax@gmail.com>

Subject: CIA Server Online 192.168.1.100

Date: 29/11/2004 19:59:10

Mime-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Server Ip: 192.168.1.100

Port: 6333

It doesn't look like it even sends a copy of itself in the email.

But it does try to send the infected PC's IP address in the body of the email. The above copy of the email that was sent from Kloyenz's PC shows that his IP is 192.168.1.100. Correct me if I'm wrong, but that IP means that PC was the first to log into a Linksys router using DHCP (DHCP starts at 100 and goes up in a Linksys router). The reciever of that email (xparax@gmail.com) can't use that IP for anything because it is LAN IP and can't be accessed via the internet. But the 'Received' IP, 127.0.0.1, is a valid internet IP. So either way xparax@gmail.com got Kloyenz's IP address and knows that he ran that exe file.

I would also take a guess and say that Kloyenz's port 6333 has been opened up and is waiting for something, possibly a client that can talk directly to the program(s) that got launched by that exe file.

Thats just a hypothetical example of what that program does based on Kloyenz's post awhile back, I doubt he let it get that far.

But this exe file has many indications of being a remote access trojan, not nessesarily a virus.

-Scott

Link to comment
Share on other sites

The reciever of that email (xparax@gmail.com) can't use that IP for anything because it is LAN IP and can't be accessed via the internet. But the 'Received' IP,  127.0.0.1, is a valid internet IP. So either way xparax@gmail.com got Kloyenz's IP address and knows that he ran that exe file.

<{POST_SNAPBACK}>

I doubt, 127.0.0.1 is only the localhost.

I believe that this is a bug in the so called virus. Instead of sniffing the public IP, it sends the private one... so its purpose in this case just fails (ok I know the port, put which is the IP?).

Link to comment
Share on other sites

I doubt, 127.0.0.1 is only the localhost.

I believe that this is a bug in the so called virus. Instead of sniffing the public IP, it sends the private one... so its purpose in this case just fails (ok I know the port, put which is the IP?).

<{POST_SNAPBACK}>

Good point.

I don't think Kloyenz actually let the email send out through his ISP.

If he had, the email would have contained his real IP.

You can test this yourself...

First find your actual internet IP here.

Then send yourself an email and look at the header when you get it back.

The second "Received:" in the header should have the IP of your ISP's sendmail server and also your ISP's URL along with your current IP.

-Scott

Link to comment
Share on other sites

[...] so its purpose in this case just fails (ok I know the port, put which is the IP?).

It didn't failed... Guess you don't know what is in an email. You can get the IPs of all computers that forwarded a mail from the headers. Even a lot of webmail services add this information to the mail even if it's not technicaly neccessary.

"Send me an email and I'll tell you what ISP you're using" :idiot:

Link to comment
Share on other sites

Still waiting for a good explanation from para.

In my opinion there are too many coincidents here. How convenient that he got error messages. How strange that his email address was used. Why his AV program didn't identify a trojan like everybody else's?

Was it a coincident that this thread was named 'Interesting program'? Was it a coincident that he started by describing how much he likes open source but...

I really hope I'm wrong. If not, Jon probably has his IP & email address, right?

Link to comment
Share on other sites

Bad side

for one thing... i agree with Scottswan... why did he post it twice? obviously he thought he was smart and tried to give it to multiple people... also, i agree with nova... stop the exe posts... but i agree with jon, let people post zip... i usually post exe only so that when i get to my cusins house, i can downlaod it there and use it since they dont trust others over the internet... and i also post the source for everyone who would rather copy and paste it( like me). i dont actually expect people to download the .exe, thats for my use. i still think its fishy that its called a "RECORDING" program... maybe a keylogger that also logs everything else about your computer rather then key strokes... worst case senerio, ban his ip

Good Side

From Valik:

There are 3 ways this may not be para's fault:

1) para may have this virus and it attached itself to this file.

2) para's friend may have this virus and it attached itself to this file.

3) para's friend is a worthless moron who needs shot.

also...

@Valik: thanks for explaining to me what a virtual machne is =)

FootbaG
Link to comment
Share on other sites

Correct me if I'm wrong, but that IP means that PC was the first to log into a Linksys router using DHCP (DHCP starts at 100 and goes up in a Linksys router). 

<{POST_SNAPBACK}>

Not necessarily ... That IP is one of many that are reserved for private networks ... Depending on the brand of router and how the router is set up the ip address could be anywhere in the 192.168.1.1 to 192.168.1.255 range (minus the ip of the router) This range along with all of the other private ranges can be used in any router

  The Internet Assigned Numbers Authority (IANA) has reserved the

  following three blocks of the IP address space for private internets:

    10.0.0.0        -  10.255.255.255

    172.16.0.0      -  172.31.255.255

    192.168.0.0    -  192.168.255.255

You can find more info about this at:http://www.faqs.org/rfcs/rfc1918.html

We have enough youth. How about a fountain of SMART?

Link to comment
Share on other sites

@sugi: That's true but even if you know my ISP you can't know my public IP in this way.. It must be included in the mail's headers or in the mail's body if the virus does this.

I know it because the receiving mailserver adds the IP he got the mail from (that's your IP) to the headers. So there's no need for the virus to do this. I guess the one who wrote that trojan wanted to create a trojan that could be used even by fools.

Looks like this (I changed the IPs):

Received: from [123.45.67.89] (schuh.manitu.net [123.45.67.89])
    by mailin.manitu.net (8.11.6/8.11.6) with ESMTP id iAUG3Ds16857;
    Tue, 30 Nov 2004 17:03:13 +0100
Edited by sugi
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...