no idea if its a real tool or not.
i just know i was reading it and it sounds suspicious.
a lot.
do not run this until we have more info on what exactly it does.

if i wanted to make spyware to grab all your keys this would be how i would do it so...
i dunno maybe its legit, all im saying is be careful coz it sounds very fishy.

http://forum.rscnet.org/showthread.php?p=2760808#post2760808

edit1: i opened the file for closer inspection in hex. and it connects to anon ftp ftp.madmax05.250free.com
beware this comes from a newly regged nick...he says he was "working" for 6 months.
this smells fishy as hell. you have been warned.

edit2: [L] Connecting to ftp.madmax05.250free.com -> DNS=ftp.madmax05.250free.com IP=64.202.96.169 PORT=21
[L] Connected to ftp.madmax05.250free.com
[L] 220---------- Welcome to Pure-FTPd ----------
[L] 220-You are user number 6 of 100 allowed.
[L] 220-<<
[L] 220-*************************************
[L] 220-Downloads are not currently permitted
[L] 220-through FTP. Please use your 250Free
[L] 220-URL to download files. In addition,
[L] 220-only one person may be logged into
[L] 220-your username at a time.
[L] 220-*************************************
[L] 220->>
[L] 220-Local time is now 20:05. Server port: 21.
[L] 220-This is a private system - No anonymous login
[L] 220-RATIOS ARE ENABLED FOR EVERYONE:
[L] 220-to download 1 Mb, uploading 20000 Mb of goodies is mandatory.
[L] 220 You will be disconnected after 10 minutes of inactivity.
[L] USER madmax05
[L] 331 User madmax05 OK. Password required

anyone know if its ok? how's tristan's pc?

That VB executable is compiled from a project named "C:\Documents and Settings\mad max\Desktop\ip stealer with back door\Project1.vbp", you might not want to run it :P

yep, exactly what i am reporting.

rsc is spreading a hack...
would be nice to have it removed soon...

Attachment deleted

Nice job guys on deleting this fast!

*edit* why isnt that guy banned? *edit*

:Handshake

How can I see that this thing is a virus without actually running it and f'ing myself?

Thanks for the report Kid Hopefully not too many people downloaded it.

Quote from Scirocco :

How can I see that this thing is a virus without actually running it and f'ing myself?

You can look at the executable with a hex editor, inside there's a bunch of unicode strings that give a pretty good hint at what it's doing. There's the project name I said above, and the ftp address to 250free.com, and a login and pass to that site. It apparently attempts to upload a txt file with your ip address to that ftp.

There's also some personal info about the user at 250free.com, including an address and a phone number that propably are fake, an aol.com email address and an ip address that routes to AOL...

edit: and based on the files on the site, seems like no-one got caught, there's a file named "vicip.txt" but that includes only a LAN ip (192.168.0.2) :P

Thanks Kidcodea.

there does seem to be tiny problem ATM, i've seen enough evidence to suggest a security update should be part of the next patch, make 'em work it all out again,

once the crack-muppets get pissed off trying to directly work with the exe, it's inevitable that little scams such as this will crop up.illepall

May i be the first to openly suggest 'fighting dirty' with these kiddie's, we know enough about 'em to make 'em think twice about screwing with the ONLY decent title out there.

If you can get their address we can start sending mailbombs and other niceties, or organizing bashing parties :-))))

Quote from Mbrio :

It's 99% certain this is a trojan. If anyone did download the file, don't run it. If you did already run it:

- install a firewall if you haven't already.
- press ctrl+shift+esc, go to the 'process' tab and check for any suspicious programs running.
- open regedit (windowskey + r, type 'regedit', press enter) and check these reg keys for suspicious programs:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren tVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren tVersion\RunOnce
- Open your start menu and check if there's anything strange in your 'startup' folder.


Check this thread on the LFS forum for more information: http://www.lfsforum.net/showthread.php?t=3262

thanks mbrio, fonny and scirocco for prompt action.
sry for trans-forum quote, but its the only way i can add to that, with this bit of info:

if u want a bit more info on task processes without using more complicated commercial apps like wintasks etc, u can use the fab processxp.exe from sysinternals. the best small utils ever for pc imho, and free!
they should come default with windows, but they dont, because they are good. yeah that was a windows critic...

http://www.sysinternals.com/Utilities/ProcessExplorer.html

leech the whole site if u want, coz its the best shit that can happen to your windows. no shit, no fuss, straight to the point, easy to use utils.
i can monitor and control almost as much as i could with amigaOS and snoopdos etc
google info on processes is also a nice time saver.
the gurus around surely know them but im sure many people dont and im sure they will be helpful for a few around here.

Good tip Kidcodea. I'll link to your post on RSC.

Now let's just hope he didn't use Sony's rootkit :/. Is there an uninstaller for that thing yet? [edit] Yes there is, but apparently that's even worse...

@TheAfro: this has nothing to do with LFS or LFS's security. This is just a regular trojan that sends your IP to an FTP and leaves a backdoor open (atleast that's my guess based on what Kegetys found out). That way the guy who made this can just connect to the IP through the backdoor and do whatever he wants. Assuming you understood all that, you'll realise this has nothing to do with LFS, apart from the fact the guy was using LFS as a ploy to get people to download the trojan.

Quote from Mbrio :

@TheAfro: this has nothing to do with LFS or LFS's security. This is just a regular trojan that sends your IP to an FTP and leaves a backdoor open (atleast that's my guess based on what Kegetys found out). That way the guy who made this can just connect to the IP through the backdoor and do whatever he wants. Assuming you understood all that, you'll realise this has nothing to do with LFS, apart from the fact the guy was using LFS as a ploy to get people to download the trojan.

In a way, it's almost commical that someone wishing to install a trojan would advertise in a manner to seduce those of us with 56k dial-up.

If he wants my Yoko Ono box set in .wav format that badly...

In addition to someone posting on RSC to chech the autorun entries in the registry, here's a great utility from systeminternals.com (the same guy that revealed the Sony Rootkit issue) Autoruns. It's the best utility that allows you to see programs that autorun with windows/login that I know of.

Nice one Inspector KiDCoDEa :detective

You da Man Kid......it's guys like you keeping the rest of us safe that makes LFS such a great world to be apart of.

Quote from Theafro :

there does seem to be tiny problem ATM, i've seen enough evidence to suggest a security update should be part of the next patch, make 'em work it all out again,

once the crack-muppets get pissed off trying to directly work with the exe, it's inevitable that little scams such as this will crop up.illepall

May i be the first to openly suggest 'fighting dirty' with these kiddie's, we know enough about 'em to make 'em think twice about screwing with the ONLY decent title out there.

But AFAIK it wasn't an LFS hack, it was just a program that you were "supposed" to run along with LFS...

Seems like he wasn't such a l33t hacker anyway, he only managed to get someones lan IP! lol!

Is it not possible to change the address to which everything is sent using a hex editor and find out exactly what it sends?

I downloaded it, opened the zip and thought "no way am I running this". So I'm safe.

But my graphics card died yesterday (nothing to do with the attachment), so I'm not best pleased....

Quote from tristancliffe :

But my graphics card died yesterday (nothing to do with the attachment)

Or is this just an excuse not to appear nooby

Quote from tristancliffe :

so I'm not best pleased....

That I can sympathise with But these things happen