BitCoin Miners and DirectConnect Bots
Imagine, if you will, a new user who just heard about the DirectConnect network and downloaded a NMDC client (may that be DC++, StrongDC++, Greylink++ or other client). The client is started and the user clicks the "Public hublists" button. A new normal user, of course, would join the first few biggest hubs. A few file lists are downloaded and.. what's next? A search. A search for something Google can't find. What if there are no results from all hubs the new user is in ? Well.. there are! Search for any random string and you get at least one result from a bot that has a file named by your searched string which ends with ".exe"!You can notice that there is no path for the shared executable file. An attempt to get a bot's file list will get your IP blocked and all further connection requests to it rejected. The bot can provide an .exe and that's it. Currently, its IP in all hubs is 198.52.199.120 , and it can be reported to abuse@avantehosting.net and to abuse@centarra.com .
But, the big question is, what does the trojan do?
The trojan is a WinRAR self extracting archive that executes the following install script:
Code
Setup=ncmd.exe exec hide "dep.bat"TempMode
Silent=1
Overwrite=1
The archive contains the following files:
Code
02/20/2014 10:46 PM 248,980 32.rar02/20/2014 10:46 PM 239,972 64.rar
02/20/2014 10:47 PM 1,382,636 at.rar
02/17/2014 11:24 PM 969 dep.bat
01/23/2014 07:16 PM 77 ms.vbs
08/11/2013 03:41 PM 44,032 ncmd.exe
02/20/2014 10:48 PM 2,836,268 nv.rar
12/01/2013 02:08 PM 306,776 svchost.exe
8 File(s) 5,059,710 bytes
All the .rar archives are password protected. The password to extract files from them is 12345 . Each archive contains a coin mining tool (minerd 32/64, cgminer and CudaMiner). By default, they use the mining server from eu.wafflepool.com:3333 and they update the BitCoin wallet 1KGE8qgbR7mafVtvt2YsS5hYau9YLRXJx4 using the password x . Svchost.exe (306776 bytes) is the renamed command line RAR, ncmd.exe (44032 bytes) is the NirSoft command line utility that can hide the console, dep.bat (969 bytes) is the actual installer that extracts files from password protected archives to %APPDATA%\WinUpdate\, and ms.vbs (77 bytes) is a command line message box popup generator.
Code
Set objArgs = WScript.ArgumentsmessageText = objArgs(0)
MsgBox messageText
Ms.vbs is used by dep.bat, after installing all the svchost.exe's and winlogon.exe's from the password protected archives to show a message box with the following string: "Error loading dll.".
If you are infected with this trojan, your overall system performance is decreased because your system resources are used to generate money for the trojan spreader.
How much money did this trojan make for its owner? You can check its infection stats here: http://wafflepool.com/miner/1KGE8qgbR7mafVtvt2YsS5hYau9YLRXJx4 (in case you need a password, you can use "x").
Do not download anything from these bots and use the +report command to report them to the operators that are online in the hubs you found them!
Hub voting system
Finally I had some time to re-add good old hub voting system to hublist engine. The voting is made two ways, good votes and bad votes, it's up to you which to choose. Remember, you can only vote for a hub once a day and voting for banned hubs is forbidden. You should also know that all votes are logged using your IP address, and if we find out that you're trying to cheat by using different IP addresses, your hub will get banned. Good luck.Hublist registration server
We've done huge improvements on hublist registration server which is running on address hublist.te-home.net:2501. Now it supports up to 1000 simultaneous registration requests. Here is how you add it to your hub:HeXHub
!set hls server add hublist.te-home.net
Verlihub
!set hublist_host hublist.te-home.net
HeXHub 5.11
Changes in 5.11
corrected: the user search function that uses qsdchublist.com was removed because it is no longer available (thanks to Molotov and RoLex for reporting this problem)if other separators are used for hub's public addresses they are converted to commas (thanks to RoLex for reporting this problem)
added support for $HubInfo extensions that are supported by some hublists; currently, "category" and "encoding" are not used (requested by RoLex)
$SetIcon was moved before $HubInfo (requested by RoLex)
the license was changed to GPL
File information: HeXHub 5.11
Merry Christmas & Happy New Year!
At the close of another year, we gratefully take time to wish you and your family a happy holiday season and prosperous new year.Team Elite