http://www.girlporn.org
is a zombie, haven't found any content that causes is spread.. very strange...
bot settings:
Aserver=66.98.223.114:6669,66.98.223.114:6668,66.98.223.107:6668,66.98.223.107:7000
nick=$v2$randn(5)
ident=dark
name=$comp ($v2/$ver) [$dtime] $cpu $os
umode=+i-xG
chan=#bok
version=33
vreply=mIRC v6.14 Khaled Mardam-Bey
pass=dede
master=*@undernet.org
master2=*@*.undernet.org
url=
http://www.deligomlegi.com/updt33.bin
perform=join #bok 1
key=boklu
invt=xc2VydmVyPWtvdHUuZGVsaWdvbWxlZ2kuY29tOjY2NjcNCm5pY2s9JHZhcjENCmlkZW50PSR2YXIyDQpuYW1lPSR2YXIzDQpjaGFuPSNrb3R1Y29jdWsgYmViZXENCnVtb2RlPStpLXgNCm1hc3Rlcj0qQCprb3R1Y29jdWsuY29tDQptYXN0ZXIyPSp2b3Qq
those are 4ip+ports for 2 servers.. both are unrealircd beta19 modified servers... and they are linked to each other. /map is blocked, /links seems to work, /lusers is blocked, no modules loaded (so source was editted).
zombies will show up like.:
invz81956 is dark@**********.**********.** * KLAAS (invz/33) [21-05-2004 23:56] 1,55GHz Windows
invz81956 using kotu.deligomlegi.com tyrants
invz81956 has been idle 2secs, signed on Sat May 22 09:04:08
invz81956 End of /WHOIS list.
The channel #bok itself is +smntuk 1 and no ops present (so can't see anyone)...
also /list was modified to not show the channel even if I'm in it (normally you can see the usercount).
The virus itself (or actually 1 of them, scan.exe, the zombie) is caught as Backdoor.Delf.lq by f-secure.
Now this is all very interresting, but this isn't the "primary trojan" you are talking about ;)... For some reason I was unable to find that one...
Perhaps they used this primary trojan to execute a secondary virus (the one I just described) which is the backdoor... Ah well.. who cares.. I'll just add the sig you used into cvs ;).