Sexy.exe - Forums

Sexy.exe whats it?

#1 manu

Master Sergeant

Group: Members
Posts: 820
Joined: 17-July 03

Posted 14 March 2005 - 05:58 AM

Any idea about the attached file?

Norton doesnt detect it, it is trying to connect remote PCs using TFTP ... Take care when u check it, I have changed the EXTENSION from EXE to TXT .. Please change it back.

Manu

Attached File(s)

sexy.txt (76.94K)
Number of downloads: 80

#2 laggy

Private First Class

Group: Members
Posts: 26
Joined: 29-November 03

Posted 14 March 2005 - 06:10 AM

Kav says Backdoor.Win32.Rbot.gen.

So its a rbot as usual (I've seen very much of that shit latley). You could try sniffing the server and channel if you want to.

#3 nolimit

Sergeant First Class

Group: Members
Posts: 387
Joined: 27-January 04

Posted 14 March 2005 - 07:20 AM

Sexy.exe? It's me.

#4 ash^

Private First Class

Group: Members
Posts: 72
Joined: 02-October 04

Posted 14 March 2005 - 03:13 PM

Packed with *Neolite 2.0 -> Neoworx Inc.* Most AVs struggle to pick up files packed with it.

#5 Guest_sk3tch_*

Group: Guests

Posted 14 March 2005 - 04:31 PM

- Connects to IRC server - "xxtalal.dynu.com" on port 6667
- Creates value "Sygate Personal Firewall"="sexy.exe" in Registry at the common locations (i.e. Run)
- Creates file C:\WINDOWS\SYSTEM\sexy.exe when executed

#6 Guest_sk3tch_*

Group: Guests

Posted 14 March 2005 - 04:46 PM

ash^, on Mar 14 2005, 11:13 PM, said:

Packed with *Neolite 2.0 -> Neoworx Inc.* Most AVs struggle to pick up files packed with it.

<{POST_SNAPBACK}>

How were you able to determine this? Kaspersky (for example) lists the following info on this file -

Kaspersky Anti-Virus On-Demand Scanner for Linux. Version 5.0.5/RELEASE build #13, compiled Nov 29 2004, 16:50:29
Copyright (C) Kaspersky Lab, 1997-2004.
There are 114714 records loaded, the latest update 14-03-2005
Config file: /etc/kav/5.0/kav4unix.conf
sexy.exe Packed PE_Patch
sexy.exe Packed MewBundle
sexy.exe Packed MEW
sexy.exe INFECTED Backdoor.Win32.Rbot.gen

Which of those listed corresponds with Neolite 2.0? Sorry is this is a n00b question...I'm just now getting familiar with packers/crypters/etc. B)

#7 IcedOut3E

Corporal

Group: Members
Posts: 154
Joined: 12-February 04

Posted 14 March 2005 - 09:56 PM

sk3tch, on Mar 14 2005, 08:31 PM, said:

<{POST_SNAPBACK}>

got a chan?

-----

12There are 1 users and 483 invisible on 1 servers
12> 1 operator(s) online
12> 1 unknown connection(s)
12> 14 channels formed
12> I have 484 clients and 0 servers
12> Current Local Users: 484 Max: 932
12> Current Global Users: 484 Max: 932

#8 SyS49152

Corporal

Group: Specialist
Posts: 169
Joined: 04-January 05

Posted 15 March 2005 - 06:07 AM

please try to see what chan it connects to ..
the chans on that server are all hidden ...
irc is cleartext, it's not difficult ..
I'm just curious

#9 brOmstar

Sergeant First Class

Group: Members
Posts: 353
Joined: 12-January 04

Posted 15 March 2005 - 06:55 AM

ircserver: xxtalal.dynu.com:6667
channel: #rx-talal

ethereallog

NICK DEU|443726
USER cfjlbsl 0 0 :DEU|443726
:CASH.NICK.FBI.GOV NOTICE AUTH :*** Looking up your hostname...
:CASH.NICK.FBI.GOV NOTICE AUTH :*** Found your hostname
:CASH.NICK.FBI.GOV 001 DEU|443726 :Welcome to the FBI IRC Network DEU|443726!cfjlbsl@pD9EB0D07.dip0.t-ipconnect.de
:CASH.NICK.FBI.GOV 002 DEU|443726 :Your host is CASH.NICK.FBI.GOV, running version Unreal3.2.2
:CASH.NICK.FBI.GOV 003 DEU|443726 :This server was created Sun Dec 19 2004 at 11:35:47 EST
:CASH.NICK.FBI.GOV 004 DEU|443726 CASH.NICK.FBI.GOV Unreal3.2.2 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT
:CASH.NICK.FBI.GOV 005 DEU|443726 CMDS=KNOCK,MAP,DCCALLOW,USERIP SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS :are supported by this server
:CASH.NICK.FBI.GOV 005 DEU|443726 WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beqa,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=FBI CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=@%+ EXCEPTS :are supported by this server
:CASH.NICK.FBI.GOV 251 DEU|443726 :There are 1 users and 765 invisible on 1 servers
:CASH.NICK.FBI.GOV 252 DEU|443726 1 :operator(s) online
:CASH.NICK.FBI.GOV 253 DEU|443726 7 :unknown connection(s)
:CASH.NICK.FBI.GOV 254 DEU|443726 13 :channels formed
:CASH.NICK.FBI.GOV 255 DEU|443726 :I have 766 clients and 0 servers
:CASH.NICK.FBI.GOV 265 DEU|443726 :Current Local Users: 766  Max: 952
:CASH.NICK.FBI.GOV 266 DEU|443726 :Current Global Users: 766  Max: 952
:CASH.NICK.FBI.GOV 375 DEU|443726 :- CASH.NICK.FBI.GOV Message of the Day - 
:CASH.NICK.FBI.GOV 372 DEU|443726 :- 3/11/2004 9:35
:CASH.NICK.FBI.GOV 372 DEU|443726 :- 
:CASH.NICK.FBI.GOV 376 DEU|443726 :End of /MOTD command.
:DEU|443726 MODE DEU|443726 :+iwx
USERHOST DEU|443726
:CASH.NICK.FBI.GOV 302 DEU|443726 :DEU|443726=+cfjlbsl@pD9EB0D07.dip0.t-ipconnect.de    
MODE DEU|443726 +R
JOIN #rx-talal 6677
USERHOST DEU|443726
MODE DEU|443726 +R
JOIN #rx-talal 6677
USERHOST DEU|443726
MODE DEU|443726 +R
JOIN #rx-talal 6677
:DEU|443726 MODE DEU|443726 :+R
:DEU|443726!cfjlbsl@rox-2E0C299D.dip0.t-ipconnect.de JOIN :#rx-talal
:CASH.NICK.FBI.GOV 353 DEU|443726 @ #rx-talal :DEU|443726 @Enigma 
:CASH.NICK.FBI.GOV 366 DEU|443726 #rx-talal :End of /NAMES list.
:CASH.NICK.FBI.GOV 302 DEU|443726 :DEU|443726=+cfjlbsl@pD9EB0D07.dip0.t-ipconnect.de    
:CASH.NICK.FBI.GOV 302 DEU|443726 :DEU|443726=+cfjlbsl@pD9EB0D07.dip0.t-ipconnect.de    
PING :CASH.NICK.FBI.GOV
PONG :CASH.NICK.FBI.GOV
PING :CASH.NICK.FBI.GOV
PONG :CASH.NICK.FBI.GOV
PING :CASH.NICK.FBI.GOV
PONG :CASH.NICK.FBI.GOV

here some info from visual route

67.17.66.169 so1-0-0-2488M.ar2.TPA1.gblx.net Tampa, FL, USA Global Crossing GBLX-13
64.215.80.66 ExpedientSago-NetworksDashboard-Communications.ge-2-0-0.ar2.TPA1.gblx.net Tampa, FL, USA Global Crossing GBLX-11D
65.110.32.8 gi0-1.ds01.tpa.sagonet.net Tampa, FL, USA Sago Networks SAGO-20030401
65.110.55.15 xxtalal.dynu.com Tampa, FL, USA Sago Networks SAGO-20030401

some contactinfo if somebody has time

OrgName: Sago Networks
OrgID: SAGO
Address: 4465 W. Gandy Blvd.
Address: Suite 800
City: Tampa
StateProv: FL
PostalCode: 33611
Country: US

NetRange: 65.110.32.0 - 65.110.63.255
CIDR: 65.110.32.0/19
NetName: SAGO-20030401
NetHandle: NET-65-110-32-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SAGONET.COM
NameServer: NS2.SAGONET.COM
Comment:
RegDate: 2003-04-07
Updated: 2003-10-13

TechHandle: ZS203-ARIN
TechName: Sago Networks
TechPhone: +1-866-510-4000
TechEmail: ipadmin@sagonet.com

OrgTechHandle: TECHN20-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-866-510-4000
OrgTechEmail: support@sagonet.com

# ARIN WHOIS database, last updated 2005-03-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

OrgName: Sago Networks
OrgID: SAGO
Address: 4465 W. Gandy Blvd.
Address: Suite 800
City: Tampa
StateProv: FL
PostalCode: 33611
Country: US
Comment:
RegDate: 2001-06-05
Updated: 2002-11-08

AdminHandle: ZS203-ARIN
AdminName: Sago Networks
AdminPhone: +1-866-510-4000
AdminEmail: ipadmin@sagonet.com

TechHandle: TECHN20-ARIN
TechName: Technical Support
TechPhone: +1-866-510-4000
TechEmail: support@sagonet.com

# ARIN WHOIS database, last updated 2005-03-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

#10 SyS49152

Corporal

Group: Specialist
Posts: 169
Joined: 04-January 05

Posted 15 March 2005 - 07:36 AM

they banned me ...
funny
the op is named Enigma ..

#11 brOmstar

Sergeant First Class

Group: Members
Posts: 353
Joined: 12-January 04

Posted 15 March 2005 - 07:45 AM

i think enigma is the operator ...the bots have names like DEU|443084 and r hidden there r 13 hidden chans with more then 700 bots =( i talked with my own bot cause i know the name ....started sexy.exe read the irc server+chan via etherreal connected via mirc and /query mybotname .findpass gave me th elogin of my vmware box ...

question @ash how do u find out what packer was used??

#12 ash^

Private First Class

Group: Members
Posts: 72
Joined: 02-October 04

Posted 15 March 2005 - 09:26 AM

PEiD - PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 470 different signatures in PE files.

good for ripping open irc bots and removing bots or using the comps for something usefull.

hxxp://peid.tk

:ph34r:

#13 Chris

Specialist

Group: Specialist
Posts: 1,202
Joined: 31-August 03

Posted 15 March 2005 - 11:28 AM

They seem to be using some modded ircd as I can see there are 62 people on the channel but when I join it (key 6677) I only see the admins and myself ... or is this some setting they just have enabled.

#14 satknis

Corporal

Group: Members
Posts: 162
Joined: 18-March 04

Posted 15 March 2005 - 03:26 PM

if the bots use +i u wouldn't see them befor they say something.
there are some other settings for irc to keep clients hidden, but i don't remember... :(

#15 SyS49152

Corporal

Group: Specialist
Posts: 169
Joined: 04-January 05

Posted 16 March 2005 - 04:37 AM

that server has a lot of default services on other open ports ..
maybe you are able to have a look inside from there ..
scan it ..

(2 Pages)
1
2
→

You cannot start a new topic
You cannot reply to this topic

Forums: Sexy.exe - Forums

Sexy.exe whats it?