Message-ID: <992727070.3b2bd01e3ffa3@no.spam>
Date: Sat, 16 Jun 2001 17:31:10 -0400
From: Fred <fred@no.spam>
Saw this today in nanau, thought it might interest people here.
Subject: Pedo Floods - A quick look at the program responsible
From: Stephen K. Gielda <steve@No-Spam-packetderm.com>
As many have speculated, the floods have been caused by a program.
Someone sent me a copy of the program to take a quick look at.
The file I received was called StartMenu.exe. It is a 28,672 byte file that has been compressed using UPX to around 7k. I uncompressed it loaded it into a hex editor and took a look. I also loaded it on a test machine (Win98 virtual machine) to see it in action. It does a DNS lookup of the server hardcoded into it and immediately tries to start posting. It creates a log file called STARorbita.txt where it logs the results.
It is a very basic program. No distributed characteristics, no virus like qualities, and doesn't add itself to any auto startup (it is probably being dropped with another program to load it that I didn't get, or via an already trojaned machine.). It doesn't modify anything. It also doesn't contain a pool of servers and looks like it must be recoded periodically when the open server it uses is closed (this file used news.hispeed.ch). There isn't much to it, so I probably won't dig into it further.
Here are the results from strings (I'm not going to go into more
details, I'm sure you can figure it out from here :)
alt.test
news.admin.net-abuse.usenet
alt.binaries.nospam.teenfem.nonude
alt.2600
alt.binaries.pictures.erotica.male
alt.religion.scientology
alt.comp.virus
alt.hackers.malicious
alt.religion.christian
alt.politics.bush
alt.binaries.pictures.asparagus
Neil
Jack
Frank
Randy
Keith
Rick
Timothy
Mark
Charlie
Mike
Gordon
Habib
George
Albert
Herbert
Roosevelt
David
Carl
Nicholas
Peter
Shaniqua
Black
Rogers
White
Colt
Smith
Bell
Walton
Davis
Carter
Wilson
Andrews
Chung
Elliott
Harvey
Brown
Williams
Todd
Sawyer
Jones
Axelrod
Martiza Internet Services
Disorganized
Amigo Org.
Wakkina Software
Executive Orifice of the President
The Christian Coalition
little or none at all
FBI-CIA-NSA-DOJ-MI5-AOL-TimeWarner, Inc.
Lbh unir gbb zhpu shpxvat serr gvzr
wHipcreme
Iggerbay Enispay
12-15 yo. girls on nuddie webcam
13 y.o. webcam girls (nuddie)
12 - 13 yrs_old teen models UPDATED SITE
12yo ICQ girls
13 yo. webcam girls (1/1)
pteen chat grls (11-12yrs)
10 yr/old babydoll tittys
NEW URL 12 yr. old Michelle 1/1
10yrs. P-teen G1RLS? here:
Girls of 13-16
14 yo_webcam girls
15 yo. lolitas room
13 y/o ICQ girl
14yo daughter, nude asleep pics
Cindy 15 yrs_old
take a look--> http://www.computer2030.com/miembro/schoolpervs
youngie adolescent schoolgirls stripping off on cam
looking for real youngie girls from chat, ICQ, dalnet?
check http://www.computer2030.com/miembro/schoolpervs
take a look all youngie amateurs
http://www.globalpix.net/tour.htm
take a look
http://www.computer2030.com/miembro/schoolpervs
babydolls chatting nudy on IRC, mirc, dalnet
youngie adolescents stripping off to bare pu ss y
check http://www.globalpix.net/tour.htm
all real schoolgirls
looking for young faces, real chat youngies?
check http://www.computer2030.com/miembro/schoolpervs
little pr et ee ns & bedroom fantasies nuddie
check http://www.computer2030.com/miembro/schoolpervs
private room fantasies? want bald pu ss y :
check http://www.globalpix.net/tour.htm
only real amateur adolescents
check http://habitantes.elsitio.com/boys13
under-boys modeling their peenies on webcam
young, babyface adolescents
http://www.computer2030.com/miembro/schoolpervs
free previews
youngie adolescents stripping in front of the cam
check http://www.globalpix.net/tour.htm
Free access
take a look http://www.computer2030.com/miembro/schoolpervs
youngie lolita adolescents, all fantasies, touching bald pu ss y
more: http://www.computer2030.com/miembro/schoolpervs
amateur adolescents on webcam, ICQ, chat, etc
more tiny girls in their private rooms
http://www.globalpix.net/tour.htm
free previews
real lolitas modeling in the privacy of their bedrooms
check: http://www.computer2030.com/miembro/schoolpervs
young adolescents with teddy bears, toys, etc. in their hairless pu
ss y
scientology.org
elsitio.com
EnlargeYourPenisToday.Com
netexplora.com
google.com
my-deja.com
yahoo.com
hotmail.com
aol.com
fed.rr.com
mailman.lanl.gov
nuddie.com
baldpussy.org
hairless.net
fuck-a-preteen.com
postmans0.tripod.com
fenvhs.org
pteens.net
nohairboys.com
nohairgirls.com
preteen-paradise.net
buddingtittys.com
tenyearolds.net
allvirgins.com
little-virgins.com
QUIT
From: %s
Subject: %s
post
mode reader
authinfo pass %s
authinfo user %s
NNTP Reply: %s
Couldn't get news server's IP address!
Couldn't get news server's IP address!
Date: %d/%d/%d %d:%d -600
File KKK_QUOTEd OK
begin 644 %s
Couldn't open output file %s
Couldn't open output file %s
temp.uu
Couldn't open input file %s
Couldn't open input file %s
UUEncoding %s
%d/%d/%d %d:%d %s
Organization: %s
.jpg
Error: Specified file not found to attach!
now improved new site !! view of pthc xxx FREE !
%s,%s
%s@%s (%s %s)
news.hispeed.ch
orbita.txt
%s%s
GetModuleFileName failure, fatal error!
htons
recv
send
socket
gethostbyname
WSAStartup
WSACleanup
connect
GetModuleFileNameA
RtlUnwind
__GetMainArgs
_sleep
exit
fclose
fopen
fprintf
fputc
fputs
fread
localtime
memcpy
memmove
printf
raise
rand
signal
sprintf
srand
strcat
strcpy
strlen
strstr
time
WS2_32.DLL
KERNEL32.DLL
CRTDLL.DLL
Go Back
to Shy David's Scientology Page.