| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: remko at elvandar.org (Remko Lodder)
Subject: http://federalpolice.com:article872@...5686747
Hi,
Just wanted to reply on this
my Mailscanner reported this:
Our content checker found
virus: TrojanSpy.Agent.D
in an email to you from:
stating this from the message Nicola send.
I think that could give some more info.
Anyways. My AV scanner is ClamAV.
Cheers.
--
Kind regards,
Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene
mrtg.grunn.org Dutch mirror of MRTG
-----Oorspronkelijk bericht-----
Van: full-disclosure-bounces@...ts.elvandar.org
[mailto:full-disclosure-bounces@...ts.elvandar.org]Namens Erik van
Straten
Verzonden: zondag 15 februari 2004 23:40
Aan: Nicola Fankhauser
CC: full-disclosure@...ts.netsys.com
Onderwerp: Re: [Full-Disclosure]
http://federalpolice.com:article872@...5686747
Hi Nicola,
It's not a zip file, not an applet, but a plain EXE file. Seems
compressed somehow, no time to figure it out now. Dunno why Mozilla
runs this (I don't like it).
If something showed up in your status bar, you should definitely assume
your box was compromised.
Take care out there,
Erik
On Sun, 15 Feb 2004 20:20:11 +0100 Nicola Fankhauser wrote:
> hi jedi
>
> On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote:
> > This is equivalent to http://64.29.173.91/
>
> ok, and the html of the index page is as following:
>
> <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
> <h2>SERVER ERROR 550</h2>
> <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1
HEIGHT=1></applet></body></html>
>
> now, the "SERVER ERROR 550" is clearly a fake - the java applet below
> just starts fine. strangely, the 'javautil.zip' is not a valid zip-file,
> yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :)
> happily start the applet without any hickups or exceptions and mozilla
> states 'Applet BlackBox started' in the status bar.
>
> is there anybody knowledgable interested in un-zipping, de-compiling and
> analysing this surely malicious applet? I would like to know what
> mozilla just executed on my behalf there... :(
>
> FYI, the file 'javautil.zip' attached is directly taken from the site
> mentioned above.
>
> regards
> nicola
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-disclosure mailing list
Full-disclosure@...ts.elvandar.org
http://lists.elvandar.org/mailman/listinfo/full-disclosure
Powered by blists - more mailing lists