Found this exes attacking my machines, some friends also found it.
//EDIT: OF COURSE i FORGOT TO SAY: DO NOT RUN THE EXE , THATS A WORM //EDIT: If by mistake you cliked on it: -remove the exe added into HKLM\Software\Microsoft\windows\CurrentVersion\Run\ -remove the exe added into HKLM\Software\Microsoft\windows\CurrentVersion\RunServices\ -remove it from the HDD so often into %SystemRoot%\System32\ -del %systemroot%\csrss32.* /s (will remove csrss32.exe app created by the worm) -edit %systemroot%\system32\drivers\etc\hosts file (the worm redirect to 127.0.0.1 many security/antivirus websites, they are no more accessible then.)
wmiprvsc.exe or wmipsvsc.exe
then it run on the machines csrss32.exe eating all the RAM. It exist cos some dumbass (wonk, nils , phatty) released a worm for the public. Tsss . (filtered) dumbasses
I post the exe of the worm , you ll see that the guy included into phatbot CScannerLSASS & it exploits XP + 2k aswell since about 2 weeks.
If you dont think its phatbot , look at the value RAYAN1918 from the exe , thats from a WONK code posted on ryan site.
you really suck wonk.
Fantafour
Apr 29 2004, 09:57 PM
i rather you HURLY to delete the ftp link... the descyption is easy to decrypt !
x1`
Apr 29 2004, 10:24 PM
where about in the exe is the server where it connects to ?
Axl
Apr 30 2004, 04:19 AM
QUOTE (101 @ Apr 29 2004, 09:28 PM)
Found this exes attacking my machines, some friends also found it.
wmiprvsc.exe or wmipsvsc.exe
then it run on the machines csrss32.exe eating all the RAM. It exist cos some dumbass (wonk, nils , phatty) released a worm for the public. Tsss . (filtered) dumbasses
I post the exe of the worm , you ll see that the guy included into phatbot CScannerLSASS & it exploits XP + 2k aswell since about 2 weeks.
If you dont think its phatbot , look at the value RAYAN1918 from the exe , thats from a WONK code posted on ryan site.
You are a (filtered) dumbass. You ought to respect what wonk has done, wonk/ago rocks the shizzle so stuff it up your ass loser!!! You shouldn't spread botnet exes like this :@ and i'm only glad that this shit is polymorphed so u script kiddies can't mess with it. Oh yea to make it even at all the losers who posted so far @Fantafour Don't quit your dayjob, cause i'm positive u can't decrypt this Decrypting a polymorphed exe and actually changing it takes a lot of time and initiative which i doubt you have. Oh and FYI Nils ain't even on phatbot team anymore (well... with this release he technically was so i give u that)
Thom
Apr 30 2004, 05:24 AM
QuantumTopology it seems like your the botnet scriptkiddie around here,
shiz
Apr 30 2004, 06:57 AM
lol @ thom soo true..
101
Apr 30 2004, 11:15 AM
the intelligence of this worm owner shouldnt be so bigger than yours quantum... I just hope som1 will take this 5lut off like your kiddie botnet quantum.
OF COURSE i FORGOT TO SAY: DO NOT RUN THE EXE , THATS A WORM
ThEWaTcHeR
Apr 30 2004, 11:40 AM
101 the ip of your server is : 212.61.70.169 .
to decrypt, only ping the crypted ip.
better, u attach the filez here
101
Apr 30 2004, 11:53 AM
i didnt seen attachment first time heh , thx watcher its edited.
Fantafour
Apr 30 2004, 12:59 PM
Every decrypted IP ist DEcrypted when you connect with FlashFxP 2.x
FlashFXP 1.4 cant do it :>
It was just a little warning
101
Apr 30 2004, 01:38 PM
firstly fantafour, watcher & others kids , this thread isnt about ip crypting. then, I dont think i need your learning shits, all what you said me , i already know it. thats just a quick crypt against n00bs which have nothing to do. If you guys havent something to add decent, plz go flame outta my thread.
Axl
Apr 30 2004, 02:16 PM
QUOTE (Thom @ Apr 30 2004, 05:24 AM)
QuantumTopology it seems like your the botnet scriptkiddie around here,
I'm the botnet script kiddy? I wanna see you code something useful, ha doubt u can. But i really respect wonk/ago and phatty because they are good coders and you have no right to insult them like that without valid justification. @101 You just silence, you had no justification to insult wonk like that. 101 of course the worm is bigger than your intellectual capacity can understand. I did not say a polymorphed exe was impossible to alter, and i did not say i've never done it, but i find it ridiculous you distributing phatty's shit like this. You ought to be ashamed, it wasn't your hard work. And for you stupid noobers telling me i'm the "botnet script kiddie" i doubt a botnet script kiddie knows asm fluently for 6 years or c++ or delphi for that matter. Put that in your pipe and smoke it. Finally, one last word. This thread has no purpose in the first place and as far as I'm concerned anyone who responded to me negligably ought to be smacked. There is no legit purpose in distributing this exe like you have just done, imagine what you have just done. Ago, phatty and the team worked their asses off on this bot, and they weren't individually targetting you. If anyone is the script kiddie, it is you 101, for making your computer vulnerable enough to be infected with it. Later, I'm out!
101
Apr 30 2004, 04:42 PM
lol , only what i know is this thread will help more than your flame here. so plz , leave the thread & go back to suck wonk's dick ,k, thx.
Axl
Apr 30 2004, 09:48 PM
QUOTE (101 @ Apr 30 2004, 04:42 PM)
lol , only what i know is this thread will help more than your flame here. so plz , leave the thread & go back to suck wonk's dick ,k, thx.
Name one way that this thread could POSSIBLY help anyone? If you could do so, and it is valid, I would certainly aquiesce to your request.
Rtyp3
Apr 30 2004, 10:12 PM
well apperently you should take down this stupid post this isnt faggot1918.com (aka ryan1918.com).
Flowby
May 1 2004, 10:51 AM
How do you see what is in the exe?
agathos
May 1 2004, 02:56 PM
dissamble it or open with hex editor
Rtyp3
May 1 2004, 07:41 PM
or you could use notepad
TedOb1
May 2 2004, 05:45 PM
you could make it easy and get rid of all the unreadable gaarbage by using strings.exe against it
Merchantp
May 3 2004, 06:23 AM
hehe ryan ripped a spammer out of 30k, he'll be gone soon enough =)
r3L4x
May 3 2004, 10:48 PM
bastards used all my cdkeys from snag PP!
101
May 4 2004, 12:52 PM
processes of the bot are now invisible...
you can find it using fport.exe , kill the hided pids & do the fixes that I said you.
Its infecting a lot atm in the fastest usa edus like cornell , columbia & many CLASS C ips , I hope this kid will be busted.
nb: the guy prolly dunno cornell edu has some fbi hosts into their ranges ^^
r3L4x
May 4 2004, 10:51 PM
who cares anyways everyone knows bots are just an excersize in ripping
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Decrypting a polymorphed exe and actually changing it takes a lot of time and initiative which i doubt you have. Oh and FYI Nils ain't even on phatbot team anymore (well... with this release he technically was so i give u that)
well apperently you should take down this stupid post this isnt faggot1918.com (aka ryan1918.com).
