| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Jan 2004 23:00:20 +0100 (MET) From: markus-1977@....net To: bugtraq@...urityfocus.com Subject: Re: new WIN virus? Hi, Seems that the webpage uses several known (unfixed) exploits in IE, i.e. it spoofes the URL in the adress-bar and overwrites Mediaplayer with an executable (updatte.exe). I took a quick look at the executable. It seems to be some sort of 900#-dialer. I couldn't find out a lot since all my disassembly tools don't like the stuff that my unpacker produced (the executable uses an exe-packer called FSG), but from the API that's imported (some RAS stuff) my best guess right now is that it is yet-another-dialer. Strings in the unpacked executable seem to be encrypted for the most part. If this spam was meant to be for the German "market", the spamers forgot to register their dialer with the RegTP/government, so no lead there... Markus -- The early bird gets the worm. If you want something else for breakfast, get up later. +++ GMX - die erste Adresse für Mail, Message, More +++ Bis 31.1.: TopMail + Digicam für nur 29 EUR http://www.gmx.net/topmail
Powered by blists - more mailing lists