Late Friday Night with |] |v| (DOOM)
Although I had made it into the private chat room, this victory was short-lived. No more than five minutes went by before I found myself booted from #tkworld1. I tried to get back in, but the room seemed to have been locked down. I kept trying to find a way in and was getting very frustrated when I suddenly noticed that a new room had appeared named TK. I quickly joined this room (no password needed) and found a user with a very hackerish name who I also noticed in the #tkworld1 room and in the dump file (see Figure 3). However, because the name was cryptic, I didn't really pick up on the fact that it could have been a real person. Feeling a bit foolish, I first fired off a message to the room and then directly to the username, asking if this was a real person or just another bot. To my surprise |]|v| responded!
To make a long story short, our conversation went through several stages. At first DOOM was very curious about who I was and how I got there and what I knew about #tkworld. I replied with a miniature version of my story thus far and asked what he knew. Not surprisingly, he was very vague in his answers but let on to several interesting tidbits of information:
He had set up the chat server for a "friend."
The TK worm had been recently released, and the chat server had been online only for a few hours.
The IRC worm had been installed as a service.
The worm facet used the IIS Unicode exploit to spread.
His IRC program was labeled Thr34t IRC.
He was still in school and lived in the U.K. (possibly false).
The conversation lasted about a half hour, with some tangents about various things, but it ended with me asking if I could get a copy of the Trojan files and if he could tell me what the password was to the #tkworld rooms. Both requests were politely denied, but I had more than enough information to start looking for the answer myself. I signed off and went to get some sleep.