Services    Trojan info    Chat    Downloads      About Us      Contact  Us     Help Forum     Support Us    Search

MBK
This is one of the first real distributed denial of service attack trojans . Instead of sending  tcp/ip exploit based packet attacks  this instead  uses smtp to mass mail . The hacker infects a group of computers with this trojan, configuring them all to email the one person . Each computer sends an email every ten seconds to this person  , lets say  the hacker infected 100 computers  , well those hundred computers would send  6000 emails a minute to the one account .

Removal
Open regedit and follow this path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Click on 'RunServices' and the right-hand panel will change. Look for the item titled: Explorer =" "
What is after will be a path, and end with "mbt.exe"
The path can be almost anything.
Right click on 'Explorer' and choose Delete.
Reboot
Find and delete the file mbt.exe.

Mirc DDoS Password Stealer
There is a new trojan in the wild , this trojans name is unknown to me at this time so I will
name it irc-internet explorer password stealer . This trojan has the following characteristics
or features :

1) it is only irc controlled ( from what I can figure out ) it doesn't seem to open any ports to
listen to , so remote administration through telnet or another client apart from irc seems to be
impossible. The trojan logs the victim onto the following server and channel on irc.
server :  irc.webchat.org
channel : #da934das.da834dasda.23qwed78das
This channel has been taken back by ircops so if they don't know you don't bother asking for
op status . At the moment the trojan makers cant get there victims back and we want it to
stay this way .

2) it has password stealing abilities ; it only can steal cached passwords from internet
explorer , but this is in enough in some instances to steal peoples dial up internet accounts (RAS ) .
The interesting thing is that most of the people infected are into pornography and so
all these passworded sites are compromised because of this trojan.

3) The trojan was hidden in a geocities website and was disguised as a viewer for
pornographic material , this site has now been shut down , another place the trojan was
hidden was this website http://members.xoom.com/utopia2099/tro/update.exe
and as far as I know this site has also been shut down . I was told by one of the users and
may be coder ( he was not very honest , so I don't know if he made it or if he was just
involved in distributing it ) that the update.exe file was made to transport all the victims to a
irc server owned by the trojans makers .

4) It is an irc distributed denial of service tool , it can be used to flood irc channels and its
very hard to block because they are not clones , they are all individuals with individual IP
numbers so putting them on ignore would mean having to put over 150 of these infected
drones on ignore one by one .

REMOVAL:
When the trojan is executed the filename is XXXXdriv.exe in your SYSTEM directory
where XXXX are 4 letters, I don't know if they're random letters or not. Remove all files that
ends with *driv.exe in that directory to make sure it gets removed.

Now open regedit ( start , run , type regedit ) and follow the following path
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
there will be a registry entry in run services it could be the same as the ****drive.exe file or
it could be different , this key has to be removed and the victim needs to reboot .