GoFuckYourself.com - Adult Webmaster Forum - View Single Post - bliket im calling you OUT you trojan installing peice of shit

Myst · 11-27-2006, 11:50 PM

So I go on yahoo chat yesterday.. what do I see..

The place is absolutely flooded with some guy and his 10000s of chatbots. Clicking on profilehome.com took me to http://xnet4.ipwn.com/. Interesting, a 'yahoo webcam viewer' application. So I download it, and check it out with olly debug to see what its doing. Seemed safe enough, so I ran it (with my trusty packet sniffer running in the background). The file xsphinx.exe goes and 'initializes installation', downloading the file xmain.exe from the server, putting it in the windows\system32 directory, and launching it (also loading it on startup).

I run xmain.exe, and it turns out the program requests http://xnet4.ipwn.com/ys/dat/mylink.txt for the link it will be spamming, then grabs some accounts/passwords (jesus learn to encrypt you idiot) from http://xnet4.ipwn.com/(removed) ie jennifer_xv2161, logs the accounts loaded on the computer at http://xnet4.ipwn.com/log.php, and finally gets a list of chatrooms from http://xnet4.ipwn.com/ys/dat/mychats.txt.

So anyone that downloads this exe will have a trojan that runs in the background, and on startup, that connects several yahoo bots into chat to spam the channels. The bots will spam the profilehome.com url.

Now profilehome.com will sometimes redirect you to the trojan page, and sometimes to Imlive (http://imlive.com/wmaster.asp?WID=12...0000000_00000). The dns for profilehome.com points to some free dns server, which eventually leads to https://www.theplanet.com/ where it is hosted.

As I am looking through my cache, I find the URL to the image http://ipwn.com/pcstats.jpg

Looks like this was probably saved to my cache from GFY!. Searching ipwn.com to see who is retarded enough to post his stats from his trojaned computers, there are several matches to one 'bliket'.

Now heres some fun stuff.
Here he is complaining how mtree has not payed him yet http://www.gofuckyourself.com/showthread.php?t=677741
And here he is being stupid enough to post pictures of himself showing off how studly he is http://www.gofuckyourself.com/showthread.php?t=676492

Im sure ImLive will have no problem dealing with this guy
And heres a nice article to what happens to people who get caught running botnets http://www.techweb.com/wire/security/173500033

11-27-2006, 11:50 PM
Myst Confirmed User Join Date: Feb 2004 Location: Alberta, Canada Posts: 4,707	bliket im calling you OUT you trojan installing peice of shit So I go on yahoo chat yesterday.. what do I see.. The place is absolutely flooded with some guy and his 10000s of chatbots. Clicking on profilehome.com took me to http://xnet4.ipwn.com/. Interesting, a 'yahoo webcam viewer' application. So I download it, and check it out with olly debug to see what its doing. Seemed safe enough, so I ran it (with my trusty packet sniffer running in the background). The file xsphinx.exe goes and 'initializes installation', downloading the file xmain.exe from the server, putting it in the windows\system32 directory, and launching it (also loading it on startup). I run xmain.exe, and it turns out the program requests http://xnet4.ipwn.com/ys/dat/mylink.txt for the link it will be spamming, then grabs some accounts/passwords (jesus learn to encrypt you idiot) from http://xnet4.ipwn.com/(removed) ie jennifer_xv2161, logs the accounts loaded on the computer at http://xnet4.ipwn.com/log.php, and finally gets a list of chatrooms from http://xnet4.ipwn.com/ys/dat/mychats.txt. So anyone that downloads this exe will have a trojan that runs in the background, and on startup, that connects several yahoo bots into chat to spam the channels. The bots will spam the profilehome.com url. Now profilehome.com will sometimes redirect you to the trojan page, and sometimes to Imlive (http://imlive.com/wmaster.asp?WID=12...0000000_00000). The dns for profilehome.com points to some free dns server, which eventually leads to https://www.theplanet.com/ where it is hosted. As I am looking through my cache, I find the URL to the image http://ipwn.com/pcstats.jpg Looks like this was probably saved to my cache from GFY!. Searching ipwn.com to see who is retarded enough to post his stats from his trojaned computers, there are several matches to one 'bliket'. Now heres some fun stuff. Here he is complaining how mtree has not payed him yet http://www.gofuckyourself.com/showthread.php?t=677741 And here he is being stupid enough to post pictures of himself showing off how studly he is http://www.gofuckyourself.com/showthread.php?t=676492 Im sure ImLive will have no problem dealing with this guy And heres a nice article to what happens to people who get caught running botnets http://www.techweb.com/wire/security/173500033 Last edited by Myst; 11-27-2006 at 11:53 PM..