DO NOT OPEN THIS FILE
Hello folks, I posted this over at the forums of the guy the email was supposedly sent from (it wasn't actually sent from him), but I will post this here as well. Yes, the file is full of nasties.
Basically this was sent out to people that had previously had accounts on Dampe's forums - Dampe being the guy who was supposedly making the OOT2D that faked his own death. Dampe's website used to be hosted by the people at MonkeyDog, and the owner of that site is the email address that it was supposedly sent from. Whoever REALLY sent this clearly has a grudge against Monkeydog for some reason - the theory is it's Dampe sending it out to try and get at his old host.
Oot2Dv1.029.exe is a compiled autoit script that
- extracts to C:\Windows:
- extracts to its own directory zeldarun.exe which is the test level of the game
it then sets a registry key to launch thegame.exe on boot, and runs thegame.exe and zeldarun.exe
Thegame.exe is a compiled autoit script that
- installs to C:\Windows the file "invi.dll" which it uses to hide itself so it doesn't appear in the task manager
- starts an IRC client - hidden, again, which connects to channel #autoit on irc.freenode.net (port 6667) and reports in
- downloads a config file from the net and saves it as C:\windows\enc.ini
- downloads a file that tells the DOS tool what urls to hit, this it saves as C:\windows\urls.txt As far as I can see these are
So basically its a botnet. At some point the person in control can go into that channel and tell it to start any of the DOS tools, download a new list of targets etc. So the burning question is, who did it?
Sadly I don't have an answer to that, although I can tell you that the config files are downloaded from
http://a-cksdj7.110mb.com/enc.ini which may be his website. It says
teamluminax.net is under construction!
check back for updates!
contact admin: email@example.com
All this sounds impressive but it looks like it was cobbled together from script kiddie components. So yeah, if you have any of these files on your machines, please delete them, you wouldn't want to inadvertently become a part of his botnet.
OTHERWISE, DO NOT RUN THIS FILE - IT'S NASTY.
Also just to repeat, despite what it says, this has nothing to do with the guys at Monkeydog, whoever's sending this out is just trying to get them in trouble.