Don't be stupid.

[Dezzimal]

http://img160.imageshack.us/img160/9154/whatnow3uz.jpg

Now for the story of how I managed to get this pic...

Who remembers seeing those generally vague posts about Parsers/Bots with links to exes named POS_Logger.exe and DamageProc.exe? Viruses of course, cue the picture of "This guy seems legit" that priran posted. Anyway using a trick that aurik (don't tell anyone what it was, I plan on doing this again if he makes another post) showed me I managed to get the contents of the exe in a somewhat readable format. I located the IP of the server that the trojan horse phoned home to and ran a quick portscan to see what services were running on it. Found: Port 21 (FTP). So I go back and dig through the exe and find 2 lines in there:

Admin
gGPaK45w

I did what any normal geek would do and logged in to his FTP and started poking around. Tons of porn, some Final Fantasy Roms, some Music but whats this...a folder called accounts? Jackpot. I tried to copy as much as I could, but by 1pm Central today he found out I was leeching his server hard (over 1000 folders in that directory, and FTP doesn't like transfering tons of small files so it went sloooow) and I got shut out. I started with the old ones in april (stupid me), and moved up to the newer ones. I made it up to June 14th. All in all I'd guess about 8-12 different computers were compromised, I'm not sure how many were compromised from yesterday's posting as I didn't make it up the logs that far =(. These 1000+ folders were all filled with keylogs, detailed records of every keystroke done on the compromised machine. Thats a ton of shit to look through.

Anyway some of you may know Totien. I'm sure he's wisened up by now and is using a password a little more secure than "budlight" lol. Accodring to what I see here his machine was compromised on April 18th of this year.

I've got a lot more interesting tidbits I found out about in here, but I'm not going to compromise ANY accounts if I find any passwords, rather I will do everything I can to contact that person and have them prevent anything happening to their character.

So far I've found:
Morie - Bahamut server
Totien - Not sure what server but its too late =(
Etern - Bahamut server (japanese)
Avid - Bahamut? (japanese)
Pyoi - Bahamut Server (japanese in zigma's Wyrm Shell lol) it is also possible Akuby was compromised as a result of this since it loos like Pyoi and Akuby are the same person from the information I have, or they share accounts/computers.

Anyway, I'll update this as I find more. Theres is just way too much stuff to sort through. If you are on bahamut please contact these people and instruct them to do a full wipe of their computer.


VIRUS SCANS DO NOT DETECT THIS TROJAN HORSE

[Pierrot]

You are amazing good sir

[ircgeek]

Old. I heard about this last night...

...but probably since you were on TheIRC with us. Took you long enough to type this up.

[Toadicus]

Holy mother, good detective work.

[Elcura]

wow....

[Vobent]

A winnar is you.

[Parshath]

Wow... You are teh winRAR

[Mifaco]

I was wondering what was up with this epidemic of people /telling me links to trojans. Valintino's account got compromised too I think..

[Dank]

Good job.

Where were these .exe's at that you were talking about? You said they were posted on here?

[BRP]

Old. I heard about this last night...

Then how is it old?

Anyway, awesome lawl ;o.

[ertyu]

mr argus flee tool and POS




anyways, good job thats some CSI shit lol

[Parshath]

Is there any way to tell or even be vaguely aware of the presence of this Trojan on your computer?

[Taj]

Dezzimal, Could you post a Mirror of one of the Infected files so I can look at it?

[Totien]

What do you mean by "it's too late"?

[Dezzimal]

I was wondering what was up with this epidemic of people /telling me links to trojans. Valintino's account got compromised too I think..

Yes Valintino is in here. Have him change his xdeathasylum.com password too.

[Ichthyos]

Is there any way to tell or even be vaguely aware of the presence of this Trojan on your computer?

lol i guess if you have pos/fleetool/mrargus that's probably a good indication.

[Weltall]

Plz stop giving away my gil secrets.

[solsovly]

Nice work, one of the reasons why I'm scared to actually download a parser. And LOL at all those pos/flee/argus pics.

[Shuemue]

My mummy always said cheaters never prosper.

[Dezzimal]

Is there any way to tell or even be vaguely aware of the presence of this Trojan on your computer?

lol i guess if you have pos/fleetool/mrargus that's probably a good indication.

The best way in my opinion would be an external firewall that can monitor what is getting sent where without the interference of being run on your computer where it it totally voulnerable to being compromised by the Virus/Trojan. Best defense by far though is the thread title. Don't download random .exes from people you don't know (and sometimes even people you do know).