From: nobody@REPLAY.COM (Anonymous)
Date: Wed, 10 Jun 1998 14:00:48 -0700 (PDT)
To: cypherpunks@toad.com
Subject: backdoor trojan in ICKill
Message-ID: <199806102100.XAA27780@basement.replay.com>
MIME-Version: 1.0
Content-Type: text/plain


----Forwarded text--------------------------------------------------
Subject: backdoor trojan in ICKill
   Date: Sun, 7 Jun 1998 19:44:28 -0400
   From: Bachrach <bachrach@netreach.net>
     To: BUGTRAQ@NETSPACE.ORG

    First off, I'm not 100% sure if this is the apropriate forum for
this
since it's not really a weakness, but rather a programmer who is putting
backdoors
into some programs. Then again technically that's an exploits... Oh I
don't know. If this is the wrong place then I apologize profusely for
the
waste of bandwidth and plead ignorance, but here goes:
    Well, chances are none of you guys have ever used this program, or
even
heard of it, but there are alot (35,000) of people who have. I
originally
downloaded it becasue I've been researching a lot of the weaknesses in
the
ICQ protocol, (which has become easier as time has gone on. :)) Anyway,
after
you run it, (ICKill), it creates a file in the directory called 1.exe
that
acts as a
fake explorer. 1.exe accesses your regedit database, and copies itself
to
windows/system. It changes the regedit so that the fake one will run on
startup. It acts mostly the same as the normal explorer with one very
crucial execption. It contacts a host (I still can't figure out which
one),
and executes the commands that are embedded within a text file on the
computer. Anyone see it yet? Backdoor city. I contacted the author (who
left
his e-mail address in the readme), and he's the one who explained th
backdoor thing. He also told me a few other things that made me write up
to
this group.
    He said that he had gotten almost 35,000 different people's systems
calling up his computer at one point; essentuially he has backdoors to
35,000 systems accross the globe. When I asked him why he would go
through
all the trouble to do this he gave me two reasons:
1. IF (and he emphasized the if) he was a hacker he could use a couple
of
other people's computers as hops when hacking into a system. Kind of
nasty
for the sysadmin trying to trace a breaking huh?
2. To quote him "And the backdoors can auto-uptade themselves.. so
Imagine I
can code a virus like backdoor... Whoaaa! This will be like THAT
internet
worm.."
3. He also said "Imagine also.. 35,000 backdoored (yeah, I reached this
number)
connections pinging or SYN flooding some server.."

Well if anyone out there is using or has ever used ICKill then get rid
of
it. I have actually set up a page on this to both inform people and
explain
how to get rid of all traces of the program that I currently am able to
at
http://members.tripod.com/~hakz/ICQ/index.html That site also has all of
the
letters I wrote to him and he wrote to me if you want to see the entire
things. It's also got some other info I couldn't fit into this message,
including all of the mistakes the author made (guess he needed better
beta
testing). My
last question is this: if one person has backdoors into thousands of
computer systems, doesn't that pose some sort of risk to the interent
community as a whole? There's one person who's been saying that I should
notify the FBI about this. As you can see  decided to start here first.