* endellion.me.uk

 

Most Unethical (nt.exe, execpyd.exe)

Using the VNC authentication flaw, Server is forced to download a binary called nt.exe from 217.115.142.93. Upon execution, this program begins to access a number of websites both with GET and POST methods. Server is GETting a load of xdll files: lo1.dll, genana.dll, itknown.dll, and an exe: execpyd.exe (from 82.98.235.61 -- as at the time of writing can still be had). The POSTs are all aimed at 82.98.235.15x, which resolves to "itknown.net". Google doesn't have an awful lot about them, so I have no idea what this outfit is all about.

There are evidently more goodies on offer at this website, as per the screenshots below, but Server is only getting a selection of them. Incidentally, we're being served by "thttpd/2.25b 29dec2003" last modified Fri, 26 Jan 2007.

I do appreciate the nice green background they have.

vff

wtf

ths

 

 

 

There is an ftp server at this address too, but I haven't hit upon the right user/pass yet.

Server appears to be clicking on lots of buttons, no doubt generating inflated hit counts for various pages. There is mention of clothes and fruit-flavoured chocolates, and the such.

But the most astonishing side effect of this virus must be the popup window that appears in internet explorer, telling me that my system is infected with trojan, and I have to click to buy this WinAntiVirusPRO2007 software (though the licence agreement says 2006) from www.amaena.com... Shame I lost the screenshots.

Execpyd.exe does a DNS query for 123topsearch.com and then visits there to obtain /install_3.php?id=c1829cfg,1ED872D3F6265:4CC9F7F38645CB974F only to be told it's not there (anymore).

Whichever way, this just seems to be one of them things that relatively harmless and majorly annoying. It clicks around without the user knowing, and pops up windows left, right and centre. How to get rid I don't know, because I didn't manage to catch/document this bug properly.