kloyenz Posted November 29, 2004 Share Posted November 29, 2004 I infected my kids computer to help get some info...The file is "WINIOGON.EXE" in the windows dir. There are policy changes and registry changes... anyone who needs a removal/fix script... perhaps, i will kill 30 minutes to write one for you...Lar.<{POST_SNAPBACK}>it was his intention to infect these pcs because all the mails of that program would be sended to xparax@gmail.com and i think thats his email adress. isnt it brandon ? Link to comment Share on other sites More sharing options...
Nova Posted November 29, 2004 Share Posted November 29, 2004 (edited) I infected my kids computer to help get some info...LMAO "How toughtfull of you" thats the funnyst thing ive heard all day ! Edited November 29, 2004 by nova Link to comment Share on other sites More sharing options...
Valik Posted November 29, 2004 Share Posted November 29, 2004 There are 3 ways this may not be para's fault: 1) para may have this virus and it attached itself to this file. 2) para's friend may have this virus and it attached itself to this file. 3) para's friend is a worthless moron who needs shot. kloyenz, whether this was intentional or accidental, you need to tone it down a bit with the accusations. Frankly, the way I see it, its nobodies fault but your own that you got infected by this thing since you were the one who downloaded it and ran it without ensuring it was safe. Link to comment Share on other sites More sharing options...
Scottswan Posted November 29, 2004 Share Posted November 29, 2004 A Google search on WinIogon.exe is sketchy but I surmised that it's a Trojan Backdoor. That coupled with the fact that it only emails to one address tells me it's a Netbus style prank trogan that kiddie-scripters and hacker wannabe's try to get people to run so they can pop open their CD rom tray, move the mouse around, launch url's and show off basically. If he got an email from your kids computer then he got an IP on you also. All he has to do is run the client and ping your IP on the correct port to connect with the already running server. What he can do from there who knows? These will work right through a NAT, but ZA or any software firewall will usually prevent the server from getting outside. -Scott Link to comment Share on other sites More sharing options...
Administrators Jon Posted November 30, 2004 Administrators Share Posted November 30, 2004 I've turned exe attachments off, the only reason I turned them on was so that I could get someone to quickly try a custom build of autoit3.exe to hunt a bug... Obviously, people can still upload zip files (as they should be allowed to do) so exercise caution when downloading things from people you don't know. Running an exe from someone with a post count of "1" is probably not a great idea Deployment Blog: https://www.autoitconsulting.com/site/blog/ SCCM SDK Programming: https://www.autoitconsulting.com/site/sccm-sdk/ Link to comment Share on other sites More sharing options...
normeus Posted November 30, 2004 Share Posted November 30, 2004 I need a good reason not to BAN "para"... I'm listening...LAr.<{POST_SNAPBACK}>I say PARA should explain (in about 1,000 words ) exacly what the script he figured was so important to the autoit comunity does.explain buttons , explain icons ,explain input and output.if he can convince members that this wonderful program is so perfect that it is worth uploading it without source since no one will ever need to change anything that it does then he should stay.if not he should stay but be labeled an idiot and marked as such. http://www.autoitscript.com/autoit3/scite/...iTe4AutoIt3.exe Link to comment Share on other sites More sharing options...
Scottswan Posted November 30, 2004 Share Posted November 30, 2004 I say PARA should explain (in about 1,000 words ) exacly what the...<{POST_SNAPBACK}>... ****I figure it is possible that his buddy "Matt" played a rotton joke on Para by putting Para's email into the trojan and compiled/compressed it to a stand alone exe, knowing that Para would probably post it someplace and get into trouble.On the other hand, I don't understand why Para posted this twice on this board, unless he already knew what it did and was 'fishing' to see how many people would run it. In either case I agree.... Para's got some 'splainin to do. Link to comment Share on other sites More sharing options...
ioliver Posted November 30, 2004 Share Posted November 30, 2004 (edited) Just a question: Don't some viruses pull email address off a PC, from the Address Book, and then use them to send out email messages? Where I used to work people would get email messages from themselves sometimes, but I think it was a virus, or worm, just using the email address. This could explain what happened with Para. Just my idea. Please let me know if that's not possible in this situtation. Thanks for taking the time to read my post, Ian Edit: Of course, now that I look at the Subject again, * Interesting Program *, that's kind of suspecious. But, I could be wrong. Thanks again. Edited November 30, 2004 by ioliver "Blessed be the name of the Lord" - Job 1:21Check out Search IMF Link to comment Share on other sites More sharing options...
Scottswan Posted November 30, 2004 Share Posted November 30, 2004 Just a question: Don't some viruses pull email address off a PC, from the Address Book, and then use them to send out email messages? Where I used to work people would get email messages from themselves sometimes, but I think it was a virus, or worm, just using the email address. This could explain what happened with Para.<{POST_SNAPBACK}>You are correct that most viruses that are in the wild (Klez, Mydoom, Netsky to name some of the popular ones) are designed to propigate themselves by finding addys on the infected PC and sending a copy of itself to each. The exe that Para posted was proven by Kloyenz and I think also Larry to send an email to just one address....Received: from 127.0.0.1 (AVG SMTP 7.0.269 [265.4.3]); Mon, 29 Nov 2004 19:59:10 +0100From: CIA-Notify cool.gif <notify@cia.com>To: xparax@gmail.com <xparax@gmail.com>Subject: CIA Server Online 192.168.1.100Date: 29/11/2004 19:59:10Mime-Version: 1.0Content-Type: text/plain; charset=us-asciiServer Ip: 192.168.1.100Port: 6333It doesn't look like it even sends a copy of itself in the email.But it does try to send the infected PC's IP address in the body of the email. The above copy of the email that was sent from Kloyenz's PC shows that his IP is 192.168.1.100. Correct me if I'm wrong, but that IP means that PC was the first to log into a Linksys router using DHCP (DHCP starts at 100 and goes up in a Linksys router). The reciever of that email (xparax@gmail.com) can't use that IP for anything because it is LAN IP and can't be accessed via the internet. But the 'Received' IP, 127.0.0.1, is a valid internet IP. So either way xparax@gmail.com got Kloyenz's IP address and knows that he ran that exe file.I would also take a guess and say that Kloyenz's port 6333 has been opened up and is waiting for something, possibly a client that can talk directly to the program(s) that got launched by that exe file.Thats just a hypothetical example of what that program does based on Kloyenz's post awhile back, I doubt he let it get that far.But this exe file has many indications of being a remote access trojan, not nessesarily a virus.-Scott Link to comment Share on other sites More sharing options...
erebus Posted November 30, 2004 Share Posted November 30, 2004 The reciever of that email (xparax@gmail.com) can't use that IP for anything because it is LAN IP and can't be accessed via the internet. But the 'Received' IP, 127.0.0.1, is a valid internet IP. So either way xparax@gmail.com got Kloyenz's IP address and knows that he ran that exe file.<{POST_SNAPBACK}>I doubt, 127.0.0.1 is only the localhost.I believe that this is a bug in the so called virus. Instead of sniffing the public IP, it sends the private one... so its purpose in this case just fails (ok I know the port, put which is the IP?). Link to comment Share on other sites More sharing options...
Scottswan Posted November 30, 2004 Share Posted November 30, 2004 (edited) This just in...A full explanation of what Para's posted exe does-ScottEdit: More Edited November 30, 2004 by Scottswan Link to comment Share on other sites More sharing options...
Scottswan Posted November 30, 2004 Share Posted November 30, 2004 I doubt, 127.0.0.1 is only the localhost.I believe that this is a bug in the so called virus. Instead of sniffing the public IP, it sends the private one... so its purpose in this case just fails (ok I know the port, put which is the IP?).<{POST_SNAPBACK}>Good point.I don't think Kloyenz actually let the email send out through his ISP.If he had, the email would have contained his real IP.You can test this yourself...First find your actual internet IP here.Then send yourself an email and look at the header when you get it back.The second "Received:" in the header should have the IP of your ISP's sendmail server and also your ISP's URL along with your current IP.-Scott Link to comment Share on other sites More sharing options...
sugi Posted November 30, 2004 Share Posted November 30, 2004 [...] so its purpose in this case just fails (ok I know the port, put which is the IP?).It didn't failed... Guess you don't know what is in an email. You can get the IPs of all computers that forwarded a mail from the headers. Even a lot of webmail services add this information to the mail even if it's not technicaly neccessary."Send me an email and I'll tell you what ISP you're using" Link to comment Share on other sites More sharing options...
erebus Posted November 30, 2004 Share Posted November 30, 2004 @sugi: That's true but even if you know my ISP you can't know my public IP in this way.. It must be included in the mail's headers or in the mail's body if the virus does this. Link to comment Share on other sites More sharing options...
tuape Posted November 30, 2004 Share Posted November 30, 2004 Still waiting for a good explanation from para. In my opinion there are too many coincidents here. How convenient that he got error messages. How strange that his email address was used. Why his AV program didn't identify a trojan like everybody else's? Was it a coincident that this thread was named 'Interesting program'? Was it a coincident that he started by describing how much he likes open source but... I really hope I'm wrong. If not, Jon probably has his IP & email address, right? Link to comment Share on other sites More sharing options...
layer Posted November 30, 2004 Share Posted November 30, 2004 Bad sidefor one thing... i agree with Scottswan... why did he post it twice? obviously he thought he was smart and tried to give it to multiple people... also, i agree with nova... stop the exe posts... but i agree with jon, let people post zip... i usually post exe only so that when i get to my cusins house, i can downlaod it there and use it since they dont trust others over the internet... and i also post the source for everyone who would rather copy and paste it( like me). i dont actually expect people to download the .exe, thats for my use. i still think its fishy that its called a "RECORDING" program... maybe a keylogger that also logs everything else about your computer rather then key strokes... worst case senerio, ban his ipGood SideFrom Valik:There are 3 ways this may not be para's fault:1) para may have this virus and it attached itself to this file.2) para's friend may have this virus and it attached itself to this file.3) para's friend is a worthless moron who needs shot.also...@Valik: thanks for explaining to me what a virtual machne is =) FootbaG Link to comment Share on other sites More sharing options...
killaz219 Posted November 30, 2004 Share Posted November 30, 2004 Someones an Autoit hater...... Link to comment Share on other sites More sharing options...
sykes Posted December 1, 2004 Share Posted December 1, 2004 Correct me if I'm wrong, but that IP means that PC was the first to log into a Linksys router using DHCP (DHCP starts at 100 and goes up in a Linksys router). <{POST_SNAPBACK}>Not necessarily ... That IP is one of many that are reserved for private networks ... Depending on the brand of router and how the router is set up the ip address could be anywhere in the 192.168.1.1 to 192.168.1.255 range (minus the ip of the router) This range along with all of the other private ranges can be used in any router The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255You can find more info about this at:http://www.faqs.org/rfcs/rfc1918.html We have enough youth. How about a fountain of SMART? Link to comment Share on other sites More sharing options...
sugi Posted December 1, 2004 Share Posted December 1, 2004 (edited) @sugi: That's true but even if you know my ISP you can't know my public IP in this way.. It must be included in the mail's headers or in the mail's body if the virus does this.I know it because the receiving mailserver adds the IP he got the mail from (that's your IP) to the headers. So there's no need for the virus to do this. I guess the one who wrote that trojan wanted to create a trojan that could be used even by fools.Looks like this (I changed the IPs):Received: from [123.45.67.89] (schuh.manitu.net [123.45.67.89]) by mailin.manitu.net (8.11.6/8.11.6) with ESMTP id iAUG3Ds16857; Tue, 30 Nov 2004 17:03:13 +0100 Edited December 1, 2004 by sugi Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now